Presentation is loading. Please wait.

Presentation is loading. Please wait.

Introduction to modern cryptography: principles and protocols

Similar presentations


Presentation on theme: "Introduction to modern cryptography: principles and protocols"— Presentation transcript:

1 Introduction to modern cryptography: principles and protocols
by Jonathan Katz

2 Table of contents 1.Introduction and Classical Cryptography ----- 04
2.Perfectly-Secret Encryption 3.Public-Key Encryption 4.Cryptographic Hash Functions Message Authentication 5.Pseudorandom Permutations in Practice: Block Ciphers 6.Theoretical Constructions of Pseudorandom Objects

3 7.Number Theory and Cryptographic Hardness Assumptions -----278
8.Factoring and Computing Discrete Logarithms 9.Private-Key Management and the Public-Key Revolution 10.Additional Public-Key Encryption Schemes 11.Digital Signature Schemes 12.Public-Key Cryptosystems in the Random Oracle Model

4 Chapter 1 Introduction and Classical Cryptography

5 Attacks Interception Interruption Modification Fabrication

6 Interception (eavesdropping)
Unauthorized party gains access to service or data Example: Wiretapping to capture data into a network and coping of files

7 Interruption (denial of service)
Services or data become unavailable Examples: Destruction of a piece of hardware, cutting of cable and disabling of a file management system

8 Modification Unauthorized party changes the data or tampers with the service Examples: Changing values in a file, altering a program so that it performs differently and changing the contents of messages that are sent over the network

9 Fabrication Unauthorized party generates additional data or activity
Examples Hacker gaining access to a person’s and sending messages, and adding records to a file

10 Cryptography

11 What is cryptography? kryptos – “hidden” grafo – “write”
Keeping messages secret Usually by making the message unintelligible to anyone that intercepts it

12 The Problem Private Message Bob Alice Eavesdropping Eve

13 The Solution Bob Alice Eavesdropping Eve Encryption Decryption
Private Message Private Message Encryption Decryption Scrambled Message Bob Alice Eavesdropping Eve

14 What do we need? Bob and Alice want to be able to encrypt/decrypt easily But no one else should be able to decrypt How do we do this? Keys!

15 Using Keys Ciphertext Plaintext Plaintext Nonsense Encryption
Decryption Ciphertext Plaintext Plaintext

16 The Shift Cipher We “shift” each letter over by a certain amount
Plaintext five red balloons f + 3 = I i + 3 = L v + 3 = Y Key = 3 Encryption Ciphertext ILYH UHG EDOORRQV

17 The Shift Cipher To decrypt, we just subtract the key Ciphertext
ILYH UHG EDOORRQV I - 3 = f L - 3 = i Y - 3 = v Key = 3 Decryption five red balloons Plaintext

18 What’s wrong with the shift cipher?
Not enough keys! If we shift a letter 26 times, we get the same letter back A shift of 27 is the same as a shift of 1, etc. So we only have 25 keys (1 to 25) Eve just tries every key until she finds the right one

19 The Substitution Cipher
Rather than having a fixed shift, change every plaintext letter to an arbitrary ciphertext letter Plaintext Ciphertext a G b X c N d S e D z Q

20 The Substitution Cipher
Plaintext a G b X c N d S e D f A g F h V i L j M k C l O m E n B o Y p Z q P r H s W t I u J v R w U x K y T z Q five red balloons Key = f = A i = L v = R Encryption ALRD HDS XGOOYYBW Ciphertext

21 The Substitution Cipher
To decrypt we just look up the ciphertext letter in the table and then write down the matching plaintext letter How many keys do we have now? A key is just a permutation of the letters of the alphabet There are 26! permutations What’s wrong with this substitution Cipher?

22 Frequency Analysis In English (or any language) certain letters are used more often than others If we look at a ciphertext, certain ciphertext letters are going to appear more often than others It would be a good guess that the letters that occur most often in the ciphertext are actually the most common English letters

23 Letter Frequency This is the letter frequency for English
The most common letter is ‘e’ by a large margin, followed by ‘t’, ‘a’, and ‘o’ ‘J’, ‘q’, ‘x’, and ‘z’ hardly occur at all

24 Frequency Analysis in Practice
Suppose this is our ciphertext dq lqwurgxfwlrq wr frpsxwlqj surylglqj d eurdg vxuyhb ri wkh glvflsolqh dqg dq lqwurgxfwlrq wr surjudpplqj. vxuyhb wrslfv zloo eh fkrvhq iurp: ruljlqv ri frpsxwhuv, gdwd uhsuhvhqwdwlrq dqg vwrudjh, errohdq dojheud, gljlwdo orjlf jdwhv, frpsxwhu dufklwhfwxuh, dvvhpeohuv dqg frpslohuv, rshudwlqj vbvwhpv, qhwzrunv dqg wkh lqwhuqhw, wkhrulhv ri frpsxwdwlrq, dqg duwlilfldo lqwhooljhqfh.

25 Ciphertext distribution
English distribution In our ciphertext we have one letter that occurs more often than any other (h), and 6 that occur a good deal more than any others (d, l, q, r, u, and w) There is a good chance that h corresponds to e, and d, l, q, r, u, and w correspond to the 6 next most common English letters

26 Frequency Analysis If we replace ‘e’ with ‘h’ and the 6 next most common letters with their matches, the ciphertext becomes an intro???tion to ?o?p?tin? pro?i?in? a ?roa? ??r?e? o? t?e ?i??ip?ine an? an intro???tion to pro?ra??in?. ??r?e? topi?? ?i?? ?e ??o?en ?ro?: ori?in? o? ?o?p?ter?, ?ata repre?entation an? ?tora?e, ?oo?ean a??e?ra, ?i?ita? ?o?i? ?ate?, ?o?p?ter ar??ite?t?re, a??e???er? an? ?o?pi?er?, operatin? ???te??, net?or?? an? t?e internet, t?eorie? o? ?o?p?tation, an? arti?i?ia? inte??i?en?e.

27 Classical to Modern Cryptography
Classical cryptography Encryption/decryption done by hand Modern cryptography Computers to encrypt and decrypt Same principles, but automation allows ciphers to become much more complex

28 The Enigma Machine German encryption and decryption machine used in WWII Essentially a complex, automated substitution cipher

29 How did Enigma work? Rotors have different wiring connecting input to output Rotors move after each keypress The key is the initial position of the three rotors

30 Breaking the Enigma Britain set up its cryptanalysis team in Bletchley Park They consistently broke German codes throughout the war Important location in the history of computing Alan Turing: British Cryptanalyst COLOSSUS: used by British codebreakers for Cryptanalysis

31 Cryptography in the Computer Age
Working with binary instead of letters We can do things many, many times Think of an Enigma machine that has 2128 pairs of symbols on each rotor, and 20 rotors Other than that, the basic principles are the same as classical cryptography

32 Modern Ciphers We design one relatively simple scrambling method (called a round) and repeat it many times Think of each round as a rotor on the Enigma One round may be easy to break, but when you put them all together it becomes very hard Almost all ciphers follow one of two structures SPN (Substitution Permutation Network) Feistel Network (basis for DES) These describe the basic structure of a round

33 Modern Ciphers in Practice
Follow SPN/Feistel structure in general, but with added twists for security There are two important ciphers in the history of modern cryptography DES (Data Encryption Standard) AES (Advanced Encryption Standard)

34 DES U.S. Government recognized the need to have a standardized cipher for secret documents DES was developed by IBM in 1976 Analysis of DES was the beginning of modern cryptographic research

35 Breaking DES The key length of DES was too short
If a key is 56 bits long, that means there are 256 possible keys “DES Cracker” machines were designed to simply try all possible keys Increase key length to 128 bit Triple DES

36 Breaking DES DES was further weakened by the discovery of differential cryptanalysis Biham and Shamir in 1990; The most significant advance in cryptanalysis since frequency analysis Ideally a ciphertext should be completely random, there should be no connection to its matching plaintext Differential analysis exploits the fact that this is never actually the case; Uses patterns between plaintext and ciphertext to discover the key

37 Developing the AES With DES effectively broken, a new standard was needed In 2001, the Rijndael cipher was selected to become the Advanced Encryption Standard How to pronounce Rijndael? Well, technically [rɛindaːl], but “Rhine Dahl”, or even, “Rine Doll” is pretty close.

38 The Problem of Symmetric Key Cryptography
Up until now we’ve been talking about symmetric key cryptography Alice and Bob are using the same key to encrypt/decrypt Problem: How does Bob get the key to Alice when Eve is eavesdropping? Up until 1976 the only solution was to physically give Alice the key in a secure environment

39 Public Key Cryptography
Diffie and Hellman published a paper in 1976 providing a solution We use one key for encryption (the public key) and a different key for decryption (the private key) Everyone knows Alice’s public key, so they can encrypt messages and send them to her But only Alice has the key to decrypt those messages No one can figure out Alice’s private key even if they know her public key

40 Using Public Keys Ciphertext Plaintext Plaintext Nonsense Encryption
Decryption Ciphertext Plaintext Plaintext

41 Public Key Cryptography in Practice
The problem is that public key algorithms are too slow to encrypt large messages Instead Bob uses a public key algorithm to send Alice the symmetric key, and then uses a symmetric key algorithm to send the message The best of both worlds! Security of public key cryptography Speed of symmetric key cryptography

42 Sending a Message What’s your public key? hi
Bob picks a symmetric key and encrypts it using Alice’s public key Alice decrypts the symmetric key using her private key Then sends the key to Alice Bob encrypts his message using the symmetric key Then sends the message to Alice Alice decrypts the message using the symmetric key hi

43 The RSA Public Key Cipher
The most popular public key cipher is RSA, developed in 1977 Named after its creators: Rivest, Shamir, and Adleman Uses the idea that it is really hard to factor large numbers Create public and private keys using two large prime numbers Then forget about the prime numbers and just tell people their product Anyone can encrypt using the product, but they can’t decrypt unless they know the factors If Eve could factor the large number efficiently she could get the private key, but there is no known way to do this

44 Public-Key Cryptography: RSA (Rivest, Shamir, and Adleman)
Sender uses a public key Advertised to everyone Receiver uses a private key Plaintext Plaintext Internet Encrypt with public key Decrypt with private key Ciphertext

45 Generating Public and Private Keys
Choose two large prime numbers p and q (~ 256 bit long) and multiply them: n = p*q Chose encryption key e such that e and (p-1)*(q-1) are relatively prime Compute decryption key d, where d = e-1 mod ((p-1)*(q-1)) (equivalent to d*e = 1 mod ((p-1)*(q-1))) Public key consists of pair (n, e) Private key consists of pair (n, d)

46 RSA Encryption and Decryption
Encryption of message block m: c = me mod n Decryption of ciphertext c: m = cd mod n

47 Example (1/2) Choose p = 7 and q = 11  n = p*q = 77
Compute encryption key e: (p-1)*(q-1) = 6*10 = 60  chose e = 13 (13 and 60 are relatively prime numbers) Compute decryption key d such that 13*d = 1 mod 60  d = 37 (37*13 = 481)

48 Example (2/2) n = 77; e = 13; d = 37 Send message block m = 7
Encryption: c = me mod n = 713 mod 77 = 35 Decryption: m = cd mod n = 3537 mod 77 = 7

49 Properties Confidentiality
A receiver B computes n, e, d, and sends out (n, e) Everyone who wants to send a message to B uses (n, e) to encrypt it How difficult is to recover d ? (Someone that can do this can decrypt any message sent to B!) Recall that d = e-1 mod ((p-1)*(q-1)) So to find d, you need to find primes factors p and q This is provable very difficult

50 RSA Factoring Challenge
In mathematics, the RSA numbers are a set of large semiprimes (numbers with exactly two prime factors) that are part of the RSA Factoring Challenge. RSA-768 has 232 decimal digits and was factored on December 12, It’s the largest factored RSA number to date. RSA-2048 may not be factorizable for many years to come, unless considerable advances are made in integer factorization or computational power in the near future.

51 RSA Factoring Challenge
Suppose, for example, that in the year 2020 a factorization of RSA-1024 is announced that requires 6 months of effort on 100,000 workstations. In this hypothetical situation, would all 1024-bit RSA keys need to be replaced? The answer is no. If the data being protected needs security for significantly less than six months, and its value is considerably less than the cost of running 100,000 workstations for that period, then 1024-bit keys may continue to be used.

52 Are we all secure now? Unfortunately not, there are still many problems that need to be dealt with How does Bob know that he’s really talking to Alice? How does Alice know that the message she receives hasn’t been tampered with? How does Alice know the message was sent by Bob?

53 Chapter 2 Perfectly-Secret Encryption

54 Secret Key Cryptography
Goal: Take a reasonable-length key and generate a one-to-one mapping to ciphertext that looks random to someone who doesn’t know the key

55 Modern Block Ciphers One of the most widely used types of cryptographic algorithms Provide secrecy /authentication services Focus on DES (Data Encryption Standard) illustrate block cipher design principles Modern block ciphers are widely used to provide encryption of quantities of information, and/or a cryptographic checksum to ensure the contents have not been altered. We continue to use block ciphers because they are comparatively fast, and because we know a fair amount about how to design them. Will use the widely known DES algorithm to illustrate some key block cipher design principles.

56 Block Cipher Scheme Encrypt Plaintext block of length N Cipher block
Secret key Decrypt

57 Block vs. Stream Ciphers
Block ciphers process messages in blocks, each of which is then en/decrypted Like a substitution on very big characters 64-bits or more Stream ciphers process messages a bit or byte at a time when en/decrypting Many current ciphers are block ciphers broader range of applications Block ciphers work a on block / word at a time, which is some number of bits. All of these bits have to be available before the block can be processed. Stream ciphers work on a bit or byte of the message at a time, hence process it as a “stream”. Block ciphers are currently better analysed, and seem to have a broader range of applications, hence focus on them.

58 Block Cipher Principles
Most symmetric block ciphers are based on a Feistel Cipher Structure needed since must be able to decrypt ciphertext to recover messages efficiently block ciphers look like an extremely large substitution Problem: Scale would need table of 264 entries for a 64-bit block Solution: Create from smaller building blocks using idea of a product cipher Most symmetric block encryption algorithms in current use are based on a structure referred to as a Feistel block cipher. A block cipher operates on a plaintext block of n bits to produce a ciphertext block of n bits. An arbitrary reversible substitution cipher for a large block size is not practical, however, from an implementation and performance point of view. In general, for an n-bit general substitution block cipher, the size of the key is n x 2n. For a 64-bit block, which is a desirable length to thwart statistical attacks, the key size is 64 x 264 = 270 = 1021 bits. In considering these difficulties, Feistel points out that what is needed is an approximation to the ideal block cipher system for large n, built up out of components that are easily realizable.

59 Ideal Block Cipher Feistel refers to an n-bit general substitution as an ideal block cipher, because it allows for the maximum number of possible encryption mappings from the plaintext to ciphertext block. A 4-bit input produces one of 16 possible input states, which is mapped by the substitution cipher into a unique one of 16 possible output states, each of which is represented by 4 ciphertext bits. The encryption and decryption mappings can be defined by a tabulation, as shown in Stallings Figure 3.1. It illustrates a tiny 4-bit substitution to show that each possible input can be arbitrarily mapped to any output - which is why its complexity grows so rapidly. Problem: For small sizes, this is just equivalent to a standard substitution cipher

60 Generic Block Encryption
Substitution: 2k values k 2k bits Permutation: Change the position for each bit Requires k lg k bits For each of k bits, must specify output position Round: Each time through a substitution/permutation set Each change in input bit should be enough to affect all the output bits No more rounds than necessary, but enough to generate this property (typically, about 16)

61 Substitution-Permutation Ciphers
Claude Shannon introduced idea of substitution-permutation (S-P) networks in 1949 paper form basis of modern block ciphers S-P nets are based on the two primitive cryptographic operations seen before: substitution (S-box) permutation (P-box) Provide confusion & diffusion of message & key Claude Shannon’s 1949 paper has the key ideas that led to the development of modern block ciphers. Critically, it was the technique of layering groups of S-boxes separated by a larger P-box to form the S-P network, a complex form of a product cipher. He also introduced the ideas of confusion and diffusion, notionally provided by S-boxes and P-boxes (in conjunction with S-boxes).

62 Confusion and Diffusion
Cipher needs to completely obscure statistical properties of original message A one-time pad does this More practically Shannon suggested combining S & P elements to obtain: Diffusion: dissipates statistical structure of plaintext over bulk of ciphertext Confusion: makes relationship between ciphertext and key as complex as possible The terms diffusion and confusion were introduced by Claude Shannon to capture the two basic building blocks for any cryptographic system. Every block cipher involves a transformation of a block of plaintext into a block of ciphertext, where the transformation depends on the key. The mechanism of diffusion seeks to make the statistical relationship between the plaintext and ciphertext as complex as possible in order to thwart attempts to deduce the key. Confusion seeks to make the relationship between the statistics of the ciphertext and the value of the encryption key as complex as possible, again to thwart attempts to discover the key. So successful are diffusion and confusion in capturing the essence of the desired attributes of a block cipher that they have become the cornerstone of modern block cipher design.

63 Feistel Cipher Structure
Horst Feistel devised the feistel cipher based on concept of invertible product cipher Partitions input block into two halves Process through multiple rounds which perform a substitution on left data half based on round function of right half & subkey then have permutation swapping halves Horst Feistel, working at IBM Thomas J Watson Research Labs devised a suitable invertible cipher structure in early 70's. One of Feistel's main contributions was the invention of a suitable structure which adapted Shannon's S-P network in an easily inverted structure. It partitions input block into two halves which are processed through multiple rounds which perform a substitution on left data half, based on round function of right half & subkey, and then have permutation swapping halves. Essentially the same h/w or s/w is used for both encryption and decryption, with just a slight change in how the keys are used. One layer of S-boxes and the following P-box are used to form the round function.

64 Feistel Cipher Structure
Stallings Figure 3.2 illustrates the classical feistel cipher structure, with data split in 2 halves, processed through a number of rounds which perform a substitution on left half using output of round function on right half & key, and a permutation which swaps halves, as listed previously.

65 Feistel Cipher Design Elements
Block size: Larger size means greater security, but reduced speed. 64 bits is common. Key size: Same tradeoff bits is now common Number of rounds: Multiple rounds offer more security Subkey generation algorithm: Greater complexity means more difficult cryptanalysis Round function: Same story here. Other considerations Fast software en/decryption Ease of analysis The exact realization of a Feistel network depends on the choice of the following parameters and design features: block size - increasing size improves security, but slows cipher key size - increasing size improves security, makes exhaustive key searching harder, but may slow cipher number of rounds - increasing number improves security, but slows cipher subkey generation algorithm - greater complexity can make analysis harder, but slows cipher round function - greater complexity can make analysis harder, but slows cipher fast software en/decryption - more recent concern for practical use ease of analysis - for easier validation & testing of strength

66 Feistel Cipher Decryption
The process of decryption with a Feistel cipher, as shown in Stallings Figure 3.3, is essentially the same as the encryption process. The rule is as follows: Use the ciphertext as input to the algorithm, but use the subkeys Ki in reverse order. That is, use Kn in the first round, Kn–1 in the second round, and so on until K1 is used in the last round. This is a nice feature because it means we need not implement two different algorithms, one for encryption and one for decryption.

67 DES (Data Encryption Standard)
Published in 1977, standardized in 1979. Key: 64 bit quantity=8-bit parity+56-bit key Every 8th bit is a parity bit. 64 bit input, 64 bit output. 64 bit M 64 bit C DES Encryption 56 bits

68 Data Encryption Standard (DES)
Adopted in 1977 by NBS (now NIST) as FIPS PUB 46 Standardized in 9179 Encrypts 64-bit data using 56-bit key Now considered insecure, primarily due to the small key size Key: 8-bit parity + 56-bit key (problems with this) Very efficient to implement in hardware Enjoyed widespread international use The most widely used private key block cipher, is the Data Encryption Standard (DES). It was adopted in 1977 by the National Bureau of Standards as Federal Information Processing Standard 46 (FIPS PUB 46). DES encrypts data in 64-bit blocks using a 56-bit key. The DES enjoys widespread use. It has also been the subject of much controversy its security.

69 DES History IBM developed Lucifer cipher
by team led by Feistel in late 60’s used 64-bit data blocks with 128-bit key Redeveloped as a commercial cipher with input from NSA and others in 1973 NBS issued request for proposals for a national cipher standard IBM submitted their revised Lucifer which was eventually accepted as the DES In the late 1960s, IBM set up a research project in computer cryptography led by Horst Feistel. The project concluded in 1971 with the development of the LUCIFER algorithm. LUCIFER is a Feistel block cipher that operates on blocks of 64 bits, using a key size of 128 bits. Because of the promising results produced by the LUCIFER project, IBM embarked on an effort, headed by Walter Tuchman and Carl Meyer, to develop a marketable commercial encryption product that ideally could be implemented on a single chip. It involved not only IBM researchers but also outside consultants and technical advice from NSA. The outcome of this effort was a refined version of LUCIFER that was more resistant to cryptanalysis but that had a reduced key size of 56 bits, to fit on a single chip. In 1973, the National Bureau of Standards (NBS) issued a request for proposals for a national cipher standard. IBM submitted the modified LUCIFER. It was by far the best algorithm proposed and was adopted in 1977 as the Data Encryption Standard.

70 DES Design Controversy
Although DES standard is public Considerable controversy over design in choice of 56-bit key (vs Lucifer 128-bit) and because design criteria were classified Before its adoption as a standard, the proposed DES was subjected to intense & continuing criticism over the size of its key & the classified design criteria. Recent analysis has shown despite this controversy, that DES is well designed. DES is theoretically broken using Differential or Linear Cryptanalysis but in practise is unlikely to be a problem yet. Also rapid advances in computing speed though have rendered the 56 bit key susceptible to exhaustive key search, as predicted by Diffie & Hellman. DES has flourished and is widely used, especially in financial applications. It is still standardized for legacy systems, with either AES or triple DES for new applications.

71 DES: Top-Down View …... 56-bit Key 64-bit Input 48-bit K1
Generate keys Permutation Initial Permutation 48-bit K1 Round 1 48-bit K2 Round 2 …... 48-bit K16 Round 16 Swap Swap 32-bit halves Permutation Final Permutation 64-bit Output

72 DES Encryption Overview
The overall scheme for DES encryption is illustrated in Stallings Figure3.4, which takes as input 64-bits of data and of key. The left side shows the basic process for enciphering a 64-bit data block which consists of: - an initial permutation (IP) which shuffles the 64-bit input block - 16 rounds of a complex key dependent round function involving substitutions & permutations - a final permutation, being the inverse of IP The right side shows the handling of the 56-bit key and consists of: - an initial permutation of the key (PC1) which selects 56-bits out of the 64-bits input, in two 28-bit halves - 16 stages to generate the 48-bit subkeys using a left circular shift and a permutation of the two 28-bit halves

73 Initial Permutation (IP)
First step of the data computation Reorders the input data bits Even bits to LH half, odd bits to RH half quite regular in structure (easy in h/w) The benefits of this permutation are debatable at best Example: IP(675a6967 5e5a6b5a) = (ffb2194d 004df6fb) The initial permutation and its inverse are defined by tables, as shown in Stallings Tables 3.2a and 3.2b, respectively. The tables are to be interpreted as follows. The input to a table consists of 64 bits numbered left to right from 1 to 64. The 64 entries in the permutation table contain a permutation of the numbers from 1 to 64. Each entry in the permutation table indicates the position of a numbered input bit in the output, which also consists of 64 bits. Note that the bit numbering for DES reflects IBM mainframe practice, and is the opposite of what we now mostly use - so be careful! Numbers from Bit 1 (leftmost, most significant) to bit 32/48/64 etc (rightmost, least significant). Note that examples are specified using hexadecimal. Here a 64-bit plaintext value of “675a6967 5e5a6b5a” (written in left & right halves) after permuting with IP becomes “ffb2194d 004df6fb”.

74 DES Round Structure Uses two 32-bit L & R halves
As for any Feistel cipher can describe as: Li = Ri–1 Ri = Li–1  F(Ri–1, Ki) F takes 32-bit R half and 48-bit subkey: expands R to 48-bits using perm E adds to subkey using XOR passes through 8 S-boxes to get 32-bit result finally permutes using 32-bit perm P Detail here the internal structure of the DES round function F, which takes R half & subkey, and processes them through E, add subkey, S & P. This follows the classic structure for a feistel cipher. Note that the s-boxes provide the “confusion” of data and key values, whilst the permutation P then spreads this as widely as possible, so each S-box output affects as many S-box inputs in the next round as possible, giving “diffusion”.

75 DES Round Structure Stallings Figure 3.6 illustrates the internal structure of the DES round function F. The R input is first expanded to 48 bits by using expansion table E that defines a permutation plus an expansion that involves duplication of 16 of the R bits (Stallings Table 3.2c). The resulting 48 bits are XORed with Ki. This 48-bit result passes through a substitution function comprising 8 S-boxes which each map 6 input bits to 4 output bits, producing a 32-bit output, which is then permuted by permutation P as defined by Stallings Table 3.2d.

76 Substitution Boxes S Have eight S-boxes which map 6 to 4 bits
Each S-box is actually 4 little 4-bit boxes outer bits 1 & 6 (row bits) select one row of 4 inner bits 2-5 (col bits) are substituted result is 8 lots of 4 bits, or 32 bits row selection depends on both data & key feature known as autoclaving (autokeying) example: S( d ) = 5fd25e03 The substitution consists of a set of eight S-boxes, each of which accepts 6 bits as input and produces 4 bits as output. These transformations are defined in Stallings Table 3.3, which is interpreted as follows: The first and last bits of the input to box Si form a 2-bit binary number to select one of four substitutions defined by the four rows in the table for Si. The middle four bits select one of the sixteen columns. The decimal value in the cell selected by the row and column is then converted to its 4-bit representation to produce the output. For example, in S1, for input , the row is 01 (row 1) and the column is 1100 (column 12). The value in row 1, column 12 is 9, so the output is 1001. The example lists 8 6-bit values (ie 18 in hex is in binary, 09 hex is binary, 12 hex is binary, 3d hex is binary etc), each of which is replaced following the process detailed above using the appropriate S-box. ie S1(011000) lookup row 00 col 1100 in S1 to get 5 S2(001001) lookup row 01 col 0100 in S2 to get 15 = f in hex S3(010010) lookup row 00 col 1001 in S3 to get 13 = d in hex S4(111101) lookup row 11 col 1110 in S4 to get 2 etc

77 DES Key Schedule Forms subkeys used in each round
initial permutation of the key selects 56-bits in two 28-bit halves 16 stages consisting of: rotating each half separately either 1 or 2 places depending on the key rotation schedule K selecting 24-bits from each half & permuting them by for use in round function F note practical use issues in h/w vs s/w The DES Key Schedule generates the subkeys needed for each data encryption round. The 64-bit key input is first processed by Permuted Choice One (Stallings Table 3.4b). The resulting 56-bit key is then treated as two 28-bit quantities C & D. In each round, these are separately processed throgh a circular left shift (rotation) of 1 or 2bits as shown in Stallings Table 3.4d. These shifted values serve as input to the next round of the key schedule. They also serve as input to Permuted Choice Two (Stallings Table 3.4c), which produces a 48-bit output that serves as input to the round function F. The 56 bit key size comes from security considerations as we know now. It was big enough so that an exhaustive key search was about as hard as the best direct attack (a form of differential cryptanalysis called a T-attack, known by the IBM & NSA researchers), but no bigger. The extra 8 bits were then used as parity (error detecting) bits, which makes sense given the original design use for hardware communications links. However we hit an incompatibility with simple s/w implementations since the top bit in each byte is 0 (since ASCII only uses 7 bits), but the DES key schedule throws away the bottom bit! A good implementation needs to be cleverer!

78 DES Decryption decrypt must unwind steps of data computation
with Feistel design, do encryption steps again using subkeys in reverse order (SK16 … SK1) IP undoes final FP step of encryption 1st round with SK16 undoes 16th encrypt round …. 16th round with SK1 undoes 1st encrypt round then final FP undoes initial encryption IP thus recovering original data value As with any Feistel cipher, DES decryption uses the same algorithm as encryption except that the subkeys are used in reverse order SK16 .. SK1. If you trace through the DES overview diagram can see how each decryption step top to bottom with reversed subkeys, undoes the equivalent encryption step moving from bottom to top.

79 Avalanche Effect Desirable property of encryption alg
where a change of one input or key bit results in changing approx half output bits making attempts to “home-in” by guessing keys impossible DES exhibits strong avalanche A desirable property of any encryption algorithm is that a small change in either the plaintext or the key should produce a significant change in the ciphertext. In particular, a change in one bit of the plaintext or one bit of the key should produce a change in many bits of the ciphertext. If the change were small, this might provide a way to reduce the size of the plaintext or key space to be searched. DES exhibits a strong avalanche effect, as may be seen in Stallings Table 3.5.

80 Strength of DES – Key Size
56-bit keys have 256 = 7.2 x 1016 values brute force search looks hard Recent advances have shown is possible in 1997 on Internet in a few months in 1998 on dedicated h/w (EFF) in a few days in 1999 above combined in 22hrs! Still must be able to recognize plaintext must now consider alternatives to DES Since its adoption as a federal standard, there have been lingering concerns about the level of security provided by DES in two areas: key size and the nature of the algorithm. With a key length of 56 bits, there are 2^56 possible keys, which is approximately 7.2*10^16 keys. Thus a brute-force attack appeared impractical. However DES was finally and definitively proved insecure in July 1998, when the Electronic Frontier Foundation (EFF) announced that it had broken a DES encryption using a special-purpose "DES cracker" machine that was built for less than $250,000. The attack took less than three days. The EFF has published a detailed description of the machine, enabling others to build their own cracker [EFF98]. There have been other demonstrated breaks of the DES using both large networks of computers & dedicated h/w, including: on a large network of computers in a few months on dedicated h/w (EFF) in a few days above combined in 22hrs! It is important to note that there is more to a key-search attack than simply running through all possible keys. Unless known plaintext is provided, the analyst must be able to recognize plaintext as plaintext. Clearly must now consider alternatives to DES, the most important of which are AES and triple DES.

81 Strength of DES – Analytic Attacks
now have several analytic attacks on DES these utilise some deep structure of the cipher by gathering information about encryptions can eventually recover some/all of the sub-key bits if necessary then exhaustively search for the rest generally these are statistical attacks include differential cryptanalysis linear cryptanalysis related key attacks Another concern is the possibility that cryptanalysis is possible by exploiting the characteristics of the DES algorithm. The focus of concern has been on the eight substitution tables, or S-boxes, that are used in each iteration. These techniques utilise some deep structure of the cipher by gathering information about encryptions so that eventually you can recover some/all of the sub-key bits, and then exhaustively search for the rest if necessary. Generally these are statistical attacks which depend on the amount of information gathered for their likelihood of success. Attacks of this form include differential cryptanalysis. linear cryptanalysis, and related key attacks.

82 Strength of DES – Timing Attacks
attacks actual implementation of cipher use knowledge of consequences of implementation to derive information about some/all subkey bits specifically use fact that calculations can take varying times depending on the value of the inputs to it particularly problematic on smartcards We will discuss timing attacks in more detail later, as they relate to public-key algorithms. However,the issue may also be relevant for symmetric ciphers. A timing attack is one in which information about the key or the plaintext is obtained by observing how long it takes a given implementation to perform decryptions on various ciphertexts. A timing attack exploits the fact that an encryption or decryption algorithm often takes slightly different amounts of time on different inputs. The AES analysis process has highlighted this attack approach, and showed that it is a concern particularly with smartcard implementations, though DES appears to be fairly resistant to a successful timing attack.

83 Differential Cryptanalysis
One of the most significant recent (public) advances in cryptanalysis known by NSA in 70's cf DES design Murphy, Biham & Shamir published in 90’s Powerful method to analyse block ciphers Used to analyse most current block ciphers with varying degrees of success DES reasonably resistant to it Biham & Shamir show Differential Cryptanalysis can be successfully used to cryptanalyse the DES with an effort on the order of 247 encryptions, requiring 247 chosen plaintexts. They also demonstrated this form of attack on a variety of encryption algorithms and hash functions. Differential cryptanalysis was known to the IBM DES design team as early as 1974 (as a T attack), and influenced the design of the S-boxes and the permutation P to improve its resistance to it. Compare DES’s security with the cryptanalysis of an eight-round LUCIFER algorithm which requires only 256 chosen plaintexts, verses an attack on an eight-round version of DES requires 214 chosen plaintexts.

84 Differential Cryptanalysis
A statistical attack against Feistel ciphers uses cipher structure not previously used design of S-P networks has output of function f influenced by both input & key Hence, cannot trace values back through cipher without knowing value of the key Differential cryptanalysis compares two related pairs of encryptions The differential cryptanalysis attack is complex. The rationale behind differential cryptanalysis is to observe the behavior of pairs of text blocks evolving along each round of the cipher, instead of observing the evolution of a single text block. Each round of DES maps the right-hand input into the left-hand output and sets the right-hand output to be a function of the left-hand input and the subkey for this round, which means you cannot trace values back through cipher without knowing the value of the key. Differential Cryptanalysis compares two related pairs of encryptions, which can leak information about the key, given a sufficiently large number of suitable pairs.

85 Differential Cryptanalysis Compares Pairs of Encryptions
with a known difference in the input searching for a known difference in output when same subkeys are used This attack is known as Differential Cryptanalysis because the analysis compares differences between two related encryptions, and looks for a known difference in leading to a known difference out with some (pretty small but still significant) probability. If a number of such differences are determined, it is feasible to determine the subkey used in the function f. Shown here is the equation from Stallings section 3.4 which shows how this removes the influence of the key, hence enabling the analysis.

86 Differential Cryptanalysis
Have some input difference giving some output difference with probability p If find instances of some higher probability input / output difference pairs occurring Can infer subkey that was used in round Then must iterate process over many rounds (with decreasing probabilities) The overall strategy of differential cryptanalysis is based on these considerations for a single round. The procedure is to begin with two plaintext messages m and m’ with a given difference and trace through a probable pattern of differences after each round to yield a probable difference for the ciphertext. You submit m and m’ for encryption to determine the actual difference under the unknown key and compare the result to the probable difference. If there is a match, then suspect that all the probable patterns at all the intermediate rounds are correct. With that assumption, can make some deductions about the key bits. This procedure must be repeated many times to determine all the key bits.

87 Differential Cryptanalysis
Stallings Figure 3.7 illustrates the propagation of differences through three rounds of DES. The probabilities shown on the right refer to the probability that a given set of intermediate differences will appear as a function of the input differences. Overall, after three rounds the probability that the output difference is as shown is equal to 0.25*1*0.25= Since the output difference is the same as the input, this 3 round pattern can be iterated over a larger number of rounds, with probabilities multiplying to be successively smaller.

88 Differential Cryptanalysis
perform attack by repeatedly encrypting plaintext pairs with known input XOR until obtain desired output XOR when found if intermediate rounds match required XOR have a right pair if not then have a wrong pair, relative ratio is S/N for attack can then deduce keys values for the rounds right pairs suggest same key bits wrong pairs give random values for large numbers of rounds, probability is so low that more pairs are required than exist with 64-bit inputs Biham and Shamir have shown how a 13-round iterated characteristic can break the full 16-round DES Differential Cryptanalysis works by performing the attack by repeatedly encrypting plaintext pairs with known input XOR until obtain desired output XOR. See [BIHA93] for detailed descriptions. Attack on full DES requires an effort on the order of 247 encryptions, requiring 247 chosen plaintexts to be encrypted, with a considerable amount of analysis – in practise exhaustive search is still easier, even though up to 255 encryptions are required for this.

89 Linear Cryptanalysis another recent development
also a statistical method must be iterated over rounds, with decreasing probabilities developed by Matsui et al in early 90's based on finding linear approximations can attack DES with 243 known plaintexts, easier but still in practise infeasible A more recent development is linear cryptanalysis. This attack is based on finding linear approximations to describe the transformations performed in DES. This method can find a DES key given 2^43 known plaintexts, as compared to 2^47 chosen plaintexts for differential cryptanalysis. Although this is a minor improvement, because it may be easier to acquire known plaintext rather than chosen plaintext, it still leaves linear cryptanalysis infeasible as an attack on DES. Again, this attack uses structure not seen before. So far, little work has been done by other groups to validate the linear cryptanalytic approach.

90 Linear Cryptanalysis find linear approximations with prob p != ½
P[i1,i2,...,ia]  C[j1,j2,...,jb] = K[k1,k2,...,kc] where ia,jb,kc are bit locations in P,C,K gives linear equation for key bits get one key bit using max likelihood alg using a large number of trial encryptions effectiveness given by: |p–1/2| The objective of linear cryptanalysis is to find an effective linear equation relating some plaintext, ciphertext and key bits that holds with probability p<>0.5 as shown. Once a proposed relation is determined, the procedure is to compute the results of the left-hand side of the equation for a large number of plaintext-ciphertext pairs, in order to determine whether the sum of the key bits is 0 or 1, thus giving 1 bit of info about them. This is repeated for other equations and many pairs to derive some of the key bit values. Because we are dealing with linear equations, the problem can be approached one round of the cipher at a time, with the results combined. See [MATS93] for details.

91 DES Design Criteria as reported by Coppersmith in [COPP94]
7 criteria for S-boxes provide for non-linearity resistance to differential cryptanalysis good confusion 3 criteria for permutation P provide for increased diffusion Although much progress has been made in designing block ciphers that are cryptographically strong, the basic principles have not changed all that much since the work of Feistel and the DES design team in the early 1970s. Some of the criteria used in the design of DES were reported in [COPP94], and focused on the design of the S-boxes and on the P function that distributes the output of the S boxes, as summarized above. See text for further details.

92 Chapter 3 Public-Key Encryption

93 Symmetric-key encryption
Invertible function Security depends on the shared secret – a particular key. Fast, highly secure Fine for repeated communication Poor fit for one-shot communication, signatures

94 Asymmetric-key (public key) encryption
The basic idea: A user has two keys: a public key and a private key. A message can be encrypted with the public key and decrypted with the private key to provide security. A message can be encrypted with the private key and decrypted with the public key to provide signatures.

95 One-way functions Most common functions are invertible; for any F(x) = y, there is an F-1(y) = x. Multiplication and division DES A function which is easy to compute in one direction, but hard to compute in the other, is known as a one-way function. Hashing, modular arithmetic. A one-way function that can be easily inverted with an additional piece of knowledge is called a trapdoor one-way function.

96 One-way functions Public key encryption is based on the existence of trapdoor one-way functions. Encryption with the public key is easy. Decryption is computationally hard. Knowledge of the private key opens the trapdoor, making inversion easy. Password systems also use one-way functions.

97 Overview of RSA RSA is the most common and well-known public key cryptosystem Basic notation: a key pair (e,d) contains two keys: e is the public key (used to encrypt documents) d is the private key (used to decrypt documents) M is the plaintext message. Let R be the encryption function. R(e,M) = C. R(d,C) = M. - encryption R(d,M) = C’ R(e,C’) = M - signing R(e,R(d,M)) = M = R(d,R(e,M)) Same function is used for both operations.

98 Modular Arithmetic RSA’s security is based on modular arithmetic.
a = b (mod n) <-> there is a q such that a-b=qn b is the remainder after dividing a by n 23 = 3 (mod 5) A set {0,1,…,n-1} is closed under modular addition and multiplication. (a(mod n) + b(mod n))(mod n) = (a+b) (mod n) (ab)(mod n) = (a(mod n) b(mod n))(mod n)

99 Modular Arithmetic Two numbers p and q are said to be relatively prime if their greatest common divisor is 1. 5 and 17, 8 and 9, 10 and 21 To compute gcd: gcd(a,b) = gcd(b, a mod b) (Euclid, 300BC)

100 Identities and Inverses
An identity is a number that maps a number to itself under some operation. 0 in normal addition, 1 in multiplication. An inverse is a number (within the input set) and maps a given number to the identity X * 1/X, X + -X in integer math We are particularly interested in multiplicative inverses for modular arithmetic. (ab) = 1 (mod n)

101 Multiplicative Inverses
3 and 2 are multiplicative inverses mod 5. 7 and 6 are multiplicative inverses mod 41. 5 and 2 are multiplicative inverses mod 9. For n > 1, if a and n are relatively prime, there is a unique x such that ax = 1 (mod n)

102 More preliminaries Fermat’s Little Theorem:
If p is prime, then for all a: ap-1 = 1 (mod p) Chinese Remainder Thm (corollary) If p and q are prime, then for all x and a: x = a(mod p) and x = a(mod q) iff x=a mod(pq) These are needed to prove RSA’s correctness.

103 The RSA Algorithm Pick two large (100 digit) primes p and q.
Let n = pq Select a relatively small integer d that is prime to (p-1)(q-1) Find e, the multiplicative inverse of d mod (p-1)(q-1) (d,n) is the public key. To encrypt M, compute En(M) = Me(mod n) (e,n) is the private key. To decrypt C, compute De(C) = Cd(mod n)

104 RSA example Let p = 11, q = 13 n = pq = 143
(p-1)(q-1) = 120 = 3 x 23 x 5 Possible d: 7, 11, 13, 17, … (let’s use 7) Find e: e*7 = 1(mod 120) = 103 Public key: (7, 143) Private key: (103, 143) En(42) = 427 (mod 143) = 81 De(81) = 81103(mod 143) = 42

105 Correctness of RSA To show RSA is correct, we must show that encryption and decryption are inverse functions: En(De(M)) = De(En(M)) = M = Med (mod n) Since d and e are multiplicative inverses, there is a k such that: ed=1+ kn = 1 + k(p-1)(q-1) Med = M1+k(p-1)(q-1) = M*(Mp-1)k(q-1) By Fermat: Mp-1=1(mod p) Med = M(1)k(q-1)(mod p) = M(mod p)

106 Correctness of RSA Med = M(1)k(q-1)(mod p) = M(mod p)
Med = M(1)k(q-1)(mod q) = M(mod q) By Chinese Remainder Thm, we get: M^{ed} = M (mod p) M (mod q) = M (mod pq) = M (mod n) Therefore, RSA reproduces the original message and is correct.

107 Strengths of RSA No prior communication needed
Highly secure (for large enough keys) Well-understood Allows both encryption and signing

108 Weaknesses of RSA Large keys needed (1024 bits is current standard)
Relatively slow Not suitable for very large messages Public keys must still be distributed safely.

109 Security of RSA The security of RSA is dependent on the assumption that it’s difficult to generate the private key d from the public key e and the modulus n. Equivalent to integer factorization problem. This is how we got e and d in the first place. Factoring is thought to be computationally hard. No proof, though!

110 Difficulty of Factoring
The fastest known factoring algorithm is the generalized number field sieve. Sub-exponential time Greater than polynomial space. Some statistics: Number Length Machines Memory/Machine 430 1 Trivial 760 215,000 4Gb 1020 342 million 170 Gb 1620 1.6x10^15 120 Tb

111 Security and Problem Difficulty
Another way to think about the problem is to ask how long a keylength will be secure, given Moore’s law: From the RSA labs factoring FAQ

112 Security and Problem Difficulty
RSA-155 (512 bit asymmetric-key) broken in 1999. Estimate: capability grows by ~4.25 digits per year. (approx bits per year) 1024-bit RSA should be “secure” until 2037. Using Moore’s Law – 1024-bit is 7 million times harder than 512-bit So, we need a 7 millionX speedup to crack 1024-bit RSA with the same relative computational power. Also about 34 years. Question: How long does your data need to be secure?

113 Digital Signatures Desirable properties of a digital signature:
A receiver must be able to validate the signature The signature must not be forgeable The signer must not be able to repudiate the signature. Encrypt with private key, validate with public key. For security and authenticity, encrypt the signed message with the receiver’s public key.

114 Hash Functions A hash function is a one-way function that maps a message M into a (typically smaller) hashed message H. Sometimes this is called a fingerprint Also sometimes a message digest. Goals: Non-invertible fast low collision rate

115 Hash Functions To sign a document, I compute its hash, encrypt that with my private key, and send the encrypted hash along with the original document as plaintext. The receiver hashes the plaintext and then uses my public key to verify that I was the one who sent the document. Can also detect tampering.

116 Combining Public and Secret Keys
Public-key encryption is often used to synchronize secret session keys. SSL uses this. A generates a secret key and sends it to B, encrypted with B’s public key. For handshaking, include a random number. B decrypts the message and has the secret key. For handshaking, B encrypts the random number with A’s public key and returns it.

117 Authentication A sends “Please authenticate me” to B
B creates a random message and signs it with A’s public key. A decrypts the message with its private key, encrypts it with B’s public key, and returns it. Only someone with A’s private key can do this. Potential attack: B gets to pick a string that A will encrypt This could yield information about A’s private key.

118 Zero-knowledge Protocols
One application of public-key cryptography is zero-knowledge protocols. Often, one party might want to prove something to another without revealing any information Nuclear treaties Bank balances Sensitive information

119 Zero-knowledge protocols
Alice wants to prove to Bob that she is Alice. If she sends identification, Bob (or an eavesdropper) can use it. Example: Authority chooses a number N=77, known by all. Alice’s public ID: (58, 67) Alice’s private ID: (9,10) These are multiplicative inverses mod 77

120 Zero-knowledge protocols
Alice chooses some random numbers and computes their square mod N. {19, 24, 51} -> 192(mod 77) = 53, (mod 77) = 37, 512(mod 77) = 60 Alice sends {53,37,60} to Bob. Bob sends back a random 2x3 matrix of 1s and 0s. 0 1 1 0 1 1

121 Zero-knowledge protocols
Alice uses this grid, plus her original random numbers and her secret numbers, to compute: 19 * 90 * 101 (mod 77) = 36 24 * 91 * 100 (mod 77) = 62 51 * 91 * 101 (mod 77) = 47 She sends {36,62,47} to Bob.

122 Zero-knowledge protocols
Bob verifies Alice’s identity by computing: {58,67} are Alice’s public numbers 36^2 *58^0 *67^1 (mod 77)= 53 62^2 *58^1 * 67^0 (mod 77) = 37 47^2 * 58^1 * 67^1 (mod 77) = 60 Alice’s original numbers reappear! (Actually, an attacker would have a 1 in 64 chance of guessing correctly …)

123 Zero-knowledge protocols
In a real system, N would be very large 160 digits. Many more numbers would be generated. This works because Alice’s secret numbers are multiplicative inverses of her public numbers mod N. Also, Bob learns nothing that he didn’t know before.

124 Chapter 4 Cryptographic Hash Functions Message Authentication

125 Abstract We will discuss Cryptographic hash functions
Message authentication codes HMAC and CBC-MAC Digital signatures

126 Encryption/Decryption
Provides message confidentiality. Does it provide message authentication?

127

128

129

130

131 Collision-resistant hash functions can be built from collision-resistant compression functions using Merkle-Damgard construction.

132

133 Merkle-Damgard Construction
m m m mk v v v vk h(m) f f f f IV

134

135

136

137

138

139

140

141 m = m m m ms h(m) X hk(m) k X IV f f f f ms+1 hk(m) hk(m||ms+1) f

142

143

144 Cipher Block Chaining (CBC)

145

146 Message m MACk(m) Message m Sigpr(m)

147

148 Digital signature (using RSA-1):
Encryption (using RSA): Alice Bob PUBob PRBob E C D M M Digital signature (using RSA-1): Alice Bob PUBob PRBob E(S) =M? E S D M Verify Sign

149

150

151

152

153

154

155 Chapter 5 Pseudorandom Permutations in Practice: Block Ciphers

156 Agenda Introduction Block Ciphers Definition
Standards Competitions and Requirements Common Building Blocks Examples Modes of Encryption

157 Introduction Intended as an overview Practical focus
Cover many topics instead of a few in-depth Examples of ciphers – show variety of designs while using basic building blocks

158 Uses Types of data Files, disk, large plaintext
Not streaming, unless in keystream mode of encryption Random number generator: RSA token, VASCO digipass (OTPs)

159 Symmetric Key Cryptography
Secret key – one key General categories of algorithms Block Ciphers Stream Ciphers Heuristics Well analyzed Components based on defined properties But, unlike public key, no formal security proof exists Faster than public key algorithms

160 Why Understand Symmetric Key Cipher Design?
If develop own library – efficient implementation, need to avoid errors due to misunderstanding or “alterations” to obtain resource savings If involve in selecting ciphers for an application, lack of analysis may result in problems later – ex. cellular encryption algorithms Using a proprietary cipher is generally not feasible – it will be reversed engineered

161 Agenda Introduction Block Ciphers Definition
Standards Competitions and Requirements Common Building Blocks Examples Modes of Encryption

162 Block Ciphers Input data (plaintext) and a secret key
Get output (ciphertext) secret key Plaintext P Ciphertext C Encryption secret key Plaintext P Ciphertext C Decryption

163 Block Ciphers - Definition
A block cipher operating on b-bit inputs is a family of permutations on b bits with the key given to the block cipher used to select the permutation. k: q-bit key. P: b-bit string denoting a plaintext. C: b-bit string denoting a ciphertext.

164 Block Ciphers - Definition
2 bit block cipher, 2 bit key with encryption function defined by: Key 00 Key 01 Key 10 Key 11 P C 00 10 01 11 P C 00 11 01 10 P C 00 11 01 10 P C 00 01 10 11 secret key 01 In practice, infeasible to store representation of block cipher as tables: example: 2128 01 00 Encryption

165 Block Ciphers - Definition
An encryption function: E = {Ek} is a family of 2q permutations on b bits indexed by k, where k is q bits A decryption function: D = {Dk} is a family of 2q permutations on b bits indexed by k such that Dk is the inverse of Ek. Given a b-bit plaintext, P, and key, k, if C = Ek(P) then P = Dk(C).

166 Block Ciphers - Definition
In practice, a block cipher will take as input a secret key, k, and apply a function, F, called a key schedule, to k that expands k into an expanded key, ek= F(k). k is usually 128, 192 or 256 bits and ek is often more than 100 bytes. Discuss later – key schedules defined to be computationally efficient at the cost of a lack of randomness in the expanded-key bits.

167 Block Ciphers - Definition
Consider a block cipher with 128 bit plaintext and 128 bit key 2128 possible plaintexts 2128! possible permutations Key is index to permutation to use: Only 2128 permutations used by the block cipher

168 Pseudorandom Permutation Definition
Property of ideal (in theory) block cipher: strong PRP Box contains either the block cipher or a random permutation Pseudorandom permutation (PRP): Attacker cannot make polynomial many adaptive chosen plaintext or adaptive chosen ciphertext queries (but not both) and determine contents of box with probability ½ + e for non-negligible e > 0. P1,P2 … Pn C1,C2 … Cn

169 Strong PRP Definition Strong PRP (SPRP): same idea as PRP, but can make queries in both directions P1,P4 … Pi C1,C4 … Ci P2,P3 … Pn C2,C3 … Cn

170 Typical Block Cipher Structure
P,C are fixed length (e.g or 256 bits) Secret key, K, expanded via a function called a key schedule to create round keys k1,k2, … kr plaintext P r rounds round i uses ki Round Function Block cipher: Input data, called plaintext, and a secret key, get output that appears to be random bits Output is called the ciphertext Given ciphertext but not the key, a person should not be able to determine what the plaintext was P, C are fixed length – block size set per standards competitions to be large enough to avoid exhaustive search, no requirement for variable lengths, no well analyzed method for creating variable lengths ciphertext C

171 Parameters Block size: 128 bits minimum, 256 bits (64-bit ciphers still in use due to existing implementations – ex. 3DES, Kasumi) Key size: 128 typical, 192, 256 bits

172 Modes of Encryption Block cipher is used in a mode of encryption
Block-by-block encryption (ECB – Electronic Code Book) can result in patterns being detectable Common modes presented later

173 Agenda Introduction Block Ciphers Definition
Standards Competitions and Requirements Common Building Blocks Examples Modes of Encryption

174 Standards Competitions
NIST Advanced Encryption Standard (AES) – US, November 2001 New European Schemes for Signatures,  Integrity, and Encryption (NESSIE) – European Union, March 2003 Cryptography Research and Evaluation Committee (Cryptrec) – Japan’s government, August 2003

175 Standards Competitions
NIST: AES (Rijndael) NESSIE: AES, Camellia Cryptrec: AES, Camellia, Hierocrypt-3*, SC2000* NIST AES runner-ups: Mars, RC6, Serpent, Twofish NESSIE 64-bit: MISTY1 Cryptrec 64-bit: CIPHERUNICORN Other: Kasumi (64-bit block, 128-bit key): 1999 – modified MISTY1, used in 3GPP DES (64-bit block, 64-bit key with 56 bits used – 3DES, NIST standard ) *Also submitted to NESSIE but not selected

176 Requirements - NIST Security: Resistance to cryptanalysis
Soundness of the mathematical basis Randomness of the ciphertext Costs: System resources (hardware and software) required Monetary costs Algorithm and implementation characteristics Use for other cryptographic purposes (hash function, a random bit generator and a stream cipher - such as via CTR mode) Encryption and decryption using the same algorithm Ability to implement the algorithm in both software and hardware Simplicity: reduces implementation errors and impacts costs, such as power consumption, number of hardware gates and execution time

177 Requirements - NESSIE "Simplicity and clarity of design are important considerations. Variable parameter sizes are less important." Selection criteria divided into four areas: Security: resistance to cryptanalysis. Market requirements: feasibility of implementation from a technical perspective (cost-efficient implementations) and business perspective (free of licensing restrictions). Performance and flexibility: range of environments in which the algorithm could efficiently be implemented. Software considerations included 8-bit processors (as found in inexpensive smart cards), 32-bit and 64-bit processors. For hardware, both field-programmable gate arrays (FPGAs) and application-specific integrated circuits (ASICs) were considered. Flexibility: use in multiple applications and for multiple purposes

178 Requirements - NESSIE Three categories of block ciphers:
High security: keys  256 bits, block length of 128 bits. Normal security: keys  128 bits and a block length of 128 bits. Normal legacy: keys  128 bits and a block length of 64 bits. In all categories: minimal attack workload must be least O(280) triple DES encryptions

179 Agenda Introduction Block Ciphers Definition
Standards Competitions and Requirements Common Building Blocks Examples Modes of Encryption

180 Terms Confusion: obscure relationship between plaintext and ciphertext
Diffusion: Spread influence of a plaintext bit and/or key bit over ciphertext (avalanche effect) Hides statistical relationships between plaintext and ciphertext Ideally (not in practice) if a single plaintext bit changes, every ciphertext bit should change with probability ½. Suppose encrypting plaintext produces ciphertext Then encrypt , can’t predict anything about ciphertext

181 Terms Differential Two inputs to a function: P1, P2
Corresponding outputs C1,C2 Differential is P1  P2, C1  C2 Linear relationship Input P, output C, key K Linear equation consisting of Pi, Ci, Ki bits that holds with probability ½ + e for non-negligible e Example: P1  K2 = C10 with probability ¾

182 Agenda Introduction Block Ciphers Definition
Standards Competitions and Requirements Common Building Blocks Examples Modes of Encryption

183 Common Building Blocks
Substitution-Permutation Network (SPN) General term for sequence of operations that performs substitutions and permutations on bits Feistel Network (will see example later) For input L0 || R0 and any function F Li = Ri-1 Ri = Li-1  F(Ri-1,Ki) Ki = other input to F, (ex. key material) Whitening XOR data with key material (X  K) Helps break relationship between output of one round and input to next round

184 Common Building Blocks
Substitution Boxes (S-Box) Based on data (and sometimes key bits), replace data Designed to minimize differential and linear relationships key bits 00 01 10 11 data bits

185 AES – 128 bit block 128 bit plaintext AddRoundKey initial whitening
S-Box Shiftrows MixColumns 9 rounds AddRoundKey S-Box Shiftrows last round AddRoundKey 128 bit ciphertext

186  with expanded key bytes
AES AES 128 bit data block Plaintext whitening AddRoundKey Keyless permutations and substitutions. SubBytes (S-Box) ShiftRows MixColumns AddRoundKey  with expanded key bytes Nr rounds MixColumns not in last round Ciphertext key length in bits Nk = # of 32 bit words in key Nb = # of words in input/output (128 bits) Nr = # of rounds 128 4 10 192 6 12 256 8 14 Variable key length and # of rounds. Decryption not same as encryption.

187 AES Round Function Components: Encryption
SubBytes S-Box (table lookup at byte level, see FIPS197 for table values) ShiftRows s00 s01 s02 s03 s10 s11 s12 s13 s20 s21 s22 s23 s30 s31 s32 s33 s00 s01 s02 s03 s11 s12 s13 s10 s22 s23 s20 s21 s33 s30 s31 s32 A: Shift row i i positions (i = 0 to 3) sij is a byte MixColumns Usually implemented as a table lookup Coefficients of a polynomial A  A (in hex) AddRoundKey A round_key  A

188 AES Diffusion: Single Byte
Round 1 AES Diffusion: Single Byte s00 s01 s02 s03 s10 s11 s12 s13 s20 s21 s22 s23 s30 s31 s32 s33 Round 2 Input s’00 s’01 s’02 s’03 s’12 s’13 s’10 s’11 s’20 s’21 s’22 s’23 s’32 s’33 s’30 s’31 s00 s01 s02 s03 s11 s12 s13 s10 s22 s23 s20 s21 s33 s30 s31 s32 After ShiftRows s’’00 S’’01 s’’02 s’’03 s’’12 s’’13 s’’10 s’’11 s’’20 s’’21 s’’22 s’’23 s’’32 s’’33 s’’30 s’’31 Note: AddRoundKey has no impact on diffusion s’00 s’01 s’02 s’03 s’11 s’12 s’13 s’10 s’22 s’23 s’20 s’21 s’33 s’30 s’31 s’32 After MixColumns

189 AES Round Function Can be collapsed to 4 table lookups and 4 XORs using 32-bit values (tables for last round differ – no MixColumns step) XOR result with round key

190 AES Decryption SubBytes S-Box inverse (see FIPS197 for table values)
ShiftRows reverse shift s00 s01 s02 s03 s10 s11 s12 s13 s20 s21 s22 s23 s30 s31 s32 s33 s00 s01 s02 s03 s11 s12 s13 s10 s22 s23 s20 s21 s33 s30 s31 s32 A: Shift row i i positions (i = 0 to 3) sij is a byte MixColumns 0E 0B 0D 09 09 0E 0B 0D 0D E 0B 0B 0D E A  A (in hex) AddRoundKey A round_key  A

191 AES Key Schedule Loop 40 times for 128-bit key, 128-bit block
wi = ith 32 bit word of the expanded key For 1st Nk words: wi = ith word of key (Nk=4 for 128 bit keys) i.e. key is used as initial whitening (the first AddRoundKey step) For remaining words (i = Nk to Nb*(Nr+1) –1) { if i is not a multiple of Nk wi = wi-1  wi-Nk if i is a multiple of Nk and Nk < 8 wi = (S-Box applied to a rotation of wi-1)  wi-Nk  round constant if Nk = 8 and i mod Nk = 4 wi = (S-Box applied to wi-1)  wi-Nk } S-Box and rotations are applied at the byte level. Loop 40 times for 128-bit key, 128-bit block Most expanded key words are  of two previous words

192 (Balanced) Feistel Network
b bits plaintext left half right half round function each half is input to round function once two rounds are a cycle round function round function round function Note: unbalanced = b bits divided into two unequal portions b bits ciphertext

193 Feistel Network Advantages: Run network in reverse to decrypt
Round function does not have to be invertible Implementation benefit – same code/hardware used for encryption and decryption If the round function is pseudorandom permutation (theoretical concept), provable properties about 3 and 4 rounds Disadvantages: Diffusion can be slow: ½ of bits have no impact in first application of the round function One round differential characteristic with probability of 1

194 PRPs, SPRPs from Feistel
Round functions independently and randomly chosen PRPs, r rounds and n bit input to round function, randomly select “tables” representing round functions First selection from 2n! tables, then from 2n! -1, 2n!-2, … 2n!-r+1 tables 3 round Feistel network is PRP 4 round Feistel network is a SPRP Luby-Rackoff, Naor-Reingold

195 Camellia 128-bit Key and Block

196 Camellia F Function F(x,k) = P(S(x  k)), where S is a S-Box on 8-bytes. P is a function that XORs bytes of its 8-byte input to form an 8-byte output. P function: Output Byte : Input Bytes XORed 1 : 1,3,4,6,7,8 2 : 1,2,4,5,7,8 3 : 1,2,3,5,6,8 4 : 2,3,4,5,6,7 5 : 1,2,6,7,8 6 : 2,3,5,7,8 7 : 3,4,5,6,8 8 : 1,4,5,6,7 Byte 1: 1,2,5,8 Byte 2: 2,3,4,5,6 Byte 3: 1,3,4,6,7 Byte 4: 1,2,4,7,8 Byte 5: 2,3,4,6,7,8 Byte 6: 1,3,4,5,7,8 Byte 7: 1,2,4,5,6,8 Byte 8: 1,2,3,5,6,7 diffusion

197 Camellia F Function The substitution performed by S is done by viewing the data as 8 bytes and using one of four S-Boxes, (S1, S2, S3, S4), on each byte. Bytes 1 and 8 have S1 applied Bytes 2 and 5 have S2 applied Bytes 3 and 6 have S3 applied Bytes 4 and 7 have S4 applied One table, S represents S1,S2,S3,S4 Create S1,S2,S3,S4 as follows: For i = 0 to 255: S1[i] = S[i] S2[i] = (S[i] >> 7  S[i] << 1) & 0xff S3[i] = (S[i] >> 1  S[i] << 7) & 0xff S4[i] = S[((i) << 1  i >> 7) & 0xff

198 Camellia F Function P function: diffusion amongst bytes
S-box: Allows for time/memory tradeoff in implementations Can store four tables S1,S2,S3,S4 Can store only S and compute values

199 Camellia FL Function The FL function takes a 64-bit input and 64 expanded key bits. Let XL and XR denote the left and right halves of the input, respectively Let YL and YR denote the left and right halves of the output, respectively. Let klL and klR denote the left and right halves of the 64 key bits. FL is defined as: YR = ((XL  klL) <<< 1)  XR YL = (YR  klR)  XL FL-1 is: XL = (YR  klR)  YL XR = ((XL  klL) <<< 1)  YR  is bitwise OR  is bitwise AND <<< is left rotation incorporating key bits

200 Camellia 192,256-bit Keys

201 Camellia Key Schedule Let K be the key.
Applies rounds of Camellia with constants for the round keys to K. XORs round’s output with the K then applies additional rounds. Let KA be the final output of the rounds. Each round key is part of KA or K rotated. KA, K values used in multiple rounds For example: initial whitening uses K 9th application of F uses the left half of KA rotated 45 bits to the left.

202 MISTY1 b bits left 32 bits right 32 bits FLi FLi+1 F0i round function

203 MISTY1 FL Function The FL function takes a 32-bit input and 32 bits of expanded key bits. Let XL and XR denote the left and right halves of the input, respectively. Let KLiL and KLiR denote the left and right halves of the 32 key bits. The index i refers to the component. YR = (XL  KLiL)  XR YL = (YR  KLiR)  XL The 32 bit output is YL || YR The inverse of FL is used in decryption and is defined by XL = (Y_R  KLiR)  YL XR = (X_L  KLiL)  YR The 32 bit output is XL || XR Combines key and data bits; some diffusion between two 16-bit data segments

204 MISTY F0 Function A 32-bit input, a 64-bit key and 48-bit key (from expanded key bits). Let L0 and R0 denote the left and right halves of the input Let KOi be the 64-bit key and KIi be the 48 bit key. KOi and KIi are each divided into 16 bit segments. KOij and KIij denote the jth 16 bit segment of KOi and KIi, respectively. For (j=1; j  3; ++j) { R_j = FI((Lj-1  KOij),KIij)  Rj-1 Lj = Rj-1 } The value (L3  KOi4)|| R3 is returned Combines key and data bits; some diffusion between two 16-bit data segments

205 MISTY FI Function 16 bit input, Xj, and a 16 bit key, KIij.
Let Xj = L0(9) || R0(7) (x) indicates x bits Let KIij = KIijL(7) || KIijR(9) S7 and S9: two S-Boxes mapping 7 and 9-bit inputs to 7 and 9-bit outputs. Refer to the paper on MISTY1 for the table values S-Boxes: each output bit corresponds to the multiplication and XOR of a subset of input bits. ZE(x): 7-bit input, x, and adds two 0's as the most significant bits. TR(x): 9-bit input, x, and discards the two most significant bits.

206 MISTY FI Function L1(7) = R0(7) R1(9) = S9(L0(9))  ZE(R0(7))
L2(9) = R1(9)  KIijR(9) R2(7) = S7(L1(7))  TR(R1(9))  KIijL(7) L3(7) = R2(7) R3(9) = S9(L2(9))  ZE(R2(7)) FI returns L3(7) || R3(9) Combines key and data bits; “shifts” bits so 16-bit halves used in F, F0 functions are altered – helps diffusion between two 16-bit data segments

207 MISTY1 Key Schedule One 128-bit key is divided into eight 16 bit values. Let Ki be the ith 16 bit portion. Note: i = i-8 for i > 8 Create eight 16 bit values using the K_i's and the FI function: K'i = FI(Ki,Ki+1) KOi1 = Ki KOi2 = Ki+2 KOi3 = Ki+7 KOi4 = Ki+4 KIi1 = K‘i+5 KIi2 = K‘i+1 KIi3 = K‘i+3 KLiL = K’(i+1)/2 when i is odd and K‘i/2 + 2 when i is even KLiR = K‘(i+1)/2 +6 when i is odd and Ki/2 +4 when i is even

208 MARS 3 main stages 128 bit data block 128 to 448 bit keys whitening
Quick diffusion Type 3 Feistel Network Makes use of data dependent rotations. Multiplies data words by key words, limited use of multiply because hard to analysis in addition to being more expensive. 1st, 3rd stages used to quickly diffuse data and key bits – avalanche effect. While these layers are not very difficult to analyze and thus are cryptographically weaker than the middle layer, they make it more difficult to attack middle layer – attacks takes information about P’s and C’s and work through outer layers inward. Now have to get subkey correct to reach middle round functions. Key is multiple of 32 bits; Expands key into bit words Use of XORs, rotations, of previous key entries and indices Then cleanup – set to 11 two lowest bits of key bytes used for multiplications Tweak so no consecutive 10 0’s or 10 1’s. – so in mult. some change in top 10 bits will occur. Decryption differs from encryption. whitening

209 MARS - Details Forward Mixing Backward Mixing whitening whitening
Backward mixing is reverse of forward mixing. Add key to plaintext (makes cryptanalysis more difficult by preventing easy determination of bit values entering S Boxes.) Then causes each sub block to impact other sub blocks, (diffusion/avalanche) 2 S Boxes used – tried to create random ones , 8 x 32 each Used 3 constants (fractional parts of e and pi and one they varied) (use well known values so can claim no trapdoors) i = ith S-Box entry, hashed 5i||c1||c2||c3 using SHA-1 to get entries. Varied one constant until got results with no all 0’s or all 1’s. Every 2 entries in each S-Box differs in at least 3 of 4 bytes and by at least 4 bits. 512 choose 2 distinct XOR differences Tried to minimize (i.e. keep within ½ +- 1/30 to 1/32 of chance bit is 0 or 1 based on other bit) correlation between any 2 bits in S-Box, bit correlation between input bit and bit in entry Almost ½ 1’s, ½ 0’s over all bits in all entries. Tweaked entries until achieved above. Above helps to prevent diff. and linear attacks. whitening

210 forward and backward mode.
MARS - Details Core Odd bit rotations E Function Type 3 Feistal network: 1 data block input to E, output  with other 3 data blocks. E function 32 bits in, 3 x 32 bits out (96). Multiply: Input:LSB greater impact than the MSB. Output: MSB affected more by input than LSB Choose LSBs to omit as input to S-Boxes. MSBs determine rotation amount. 13 bit rotation - max. resistance to differential attacks. 3 lines of E almost independent – min. chance of linear approx. Data dependent rotation Odd bit rotations Multiplication S-Box, addition Alternate blocks entering E. 16 rounds: 8 each of forward and backward mode.

211 Linear Transformation
Serpent Plaintext 128 bit data block IP 256 bit keys, pads shorter keys For i = 0 to 31 32 rounds Ki whitening Si mod 8 32 copies of S-Box used. 4 bit input to each. Linear Transformation Output bits = of input bits Bit j = 0 to 127: Odd j: XOR of 3 bits Even j: XOR of 7 bits Linear Transformation (except last round) K32 whitening IP-1 Decryption differs from encryption Ciphertext

212 Twofish 128 bit data 128,192,256 bit keys pads shorter keys whitening
4 key dependent S-Boxes Mix bits 16 rounds (Not Feistel – 1 bit rotations.) Maximize difference in outputs Pseudo Hadamard Transform (PHT) is mixing operation that is fast in software: a’ = a+b mod b’ = a+2b mod is a 32 bit PHT on 2 inputs a,b Initial and final XORs with keys hides inputs to first and last rounds, increasing difficulty of attacks. (ex. differential attack when try to set inputs to first round, XORs P’s, C’s same, but now can’t tell inputs to first,last round.) 1 bit rotations could be moved into Fiestal, but need additional rotation at the end. MDS = maximal distance separable matrix: maps elements from field a to elements from field b so that the difference between any two elements produced by the MDS is >= b+1. (5 bits) S Box outputs = 4 row vector of 8 bits in each entry; bijective so 64 bit round function is bijective to avoid iterative 2 round differential characteristics (which often provide highest characteristic probability). So no output has higher probability of occurring than any other output. Multiply by MDS 4x4 (a x b), 8 bits in each entry (mult. is mod 256, + is XOR) So resulting vectors differ by at least 5 bits? Output also dependent on all input. Exhaustive search used to find the matrix when designing Twofish. 01 EF 5B 5B 5B EF EF 01 EF 5B 01 EF EF 01 EF 5B Keys: N = 128,196 or 256 bits;; define k = N/64 = 2,3 or 4 Convert N bits into 2k 32 bit words, then split into two vectors (call M1,M2) Define 3rd vector S = N bits grouped by byte then multiplied by a MDS (Reed Solomon) then used to create S-Boxes via rounds of xor and static S-Boxes [4 bit output, 4 x16] M1,M2 used to create expanded key via same function used on S plus rotate and PHT. whitening Decryption differs from encryption.

213 Decryption use: >>>, -
RC6 break input into 4 words Consists of , +, * RC6_encrypt(A,B,C,D) { B = B + S[0]; D = D + S[1]; for (i=0; i < r; ++i) { t = (B*(2B+1)) <<< log2(w); u = (D*(2D+1)) <<< log2(w); A = ((A  t) <<< u) + S[2i]; C = ((C  u) <<< t) + S[2i+1]; (A,B,C,D) = (B,C,D,A); } A = A + S[2r+2]; C = C + S[2r+3]; return (A,B,C,D); whitening modify half of data,  with other half, shift whitening swap “halves” r = # of rounds S = expanded key (2r+3 words) w = word size * = multiplication mod 2w + = addition mod 2w <<< = left rotate whitening Decryption use: >>>, -

214 RC6 Key Schedule P32 = B7E15163 Q32 = 9E3779B9
Constants really are arbitrary and can be changed.

215 RC6

216 RC6 Encryption

217 Key Schedules Ideal key schedule pseudorandom expanded key bits
efficient Existing key schedules Unique per block cipher Lack of randomness/independence Contributes to attacks – if find few expanded key bits can plug into key schedule Design for efficiency Suggestion: Use a generic key schedule Generate as many expanded key bits as needed Single implementation Increase randomness compared to existing key schedules

218 Key Schedules – Existing
AES: bit strings created each as 4 32-bit words (11 whitening steps) The 128-bit key is split into four 32-bit words. Additional 128-bit strings are formed by: 1st word: a table lookup on a previous word then XOR it with a constant and a previous word. 2nd to 4th words: XORing two previous words Camellia, MISTY1: expanded key bits used in multiple locations RC6: more complex relationship between expanded key bits EK array of 32-bit words containing expanded key. x is a word concat(a,b,c,d) is concatenation of inputs to form a single bit-string of abcd. x <<< 8 rotate x to the left by 8 bits SubWord(x) applies S-Box of the round function to each byte of the word x. Constants: C = [0x ,0x ,0x ,0x ,0x , 0x ,0x ,0x ,0x1b000000,0x ] /* Place the 128-bit key in the first 4 entries of EK */ for (i=0; i $<$ 4; ++i) { EK[i] = concat(K[4*i] K[4*i+1] K[4*i+2] K[4*i+3]) } /* The first word of each remaining round key is formed from the XOR of a S-Box entry, a constant and a previous word. The second to fourth words of each remaining round key is the XOR of two previous words. */ for (i=4; i $<$ 44; ++i) { x = EK[i-1] if (i mod 4 == 0) { x = SubWord((x $<<<$ 8)) XOR C[i/4] } EK[i] = EK[i-4] XOR x

219 Example: Use of a Block Cipher to Create Random Bits
RSA SecurID® Provides a one time password Previous version used proprietary algorithm that was reversed engineered. Current version uses AES as a hash function Algorithm to handle timing issues

220 Agenda Introduction Block Ciphers Definition
Standards Competitions and Requirements Common Building Blocks Examples Modes of Encryption

221 ECB Mode P1 P2 C1 C2 Pn Cn Ek Identical plaintext blocks produce identical ciphertext block: pattern detection Patterns not likely in normal text – newspaper, book – due to need to align on block boundary Patterns likely in structured text – log files

222 ECB Mode Splice ciphertexts Replace ciphertext blocks P1 P2 C1 C2 Pn
Cn Ek P1 P’2 Pn Ek Ek Ek P’1 P’2 C’1 C’2 P’n C’n Ek C1 C’2 Cn

223 CBC Mode P1 P2 Pn IV Ek Ek Ek C1 C2 Cn

224 CBC Mode - Splicing P1 P2 C1  C2 IV Pn Cn Ek P’1 P’2 C’1  C’2 IV P’n
garbled P’3 P’n IV Ek Ek Ek Ek C1 C’2 C’3 C’n

225 Blockwise Adaptive Consider a block cipher and CBC mode
Environment where see ciphertext from plaintext block i before having to input plaintext block i+1 M1,M2,M3 are three distinct 2b-bit plaintexts. Know one of M1 and M2 was encrypted. Ciphertext, Cx CBC mode Cx M1, M2 ? Can form M3 to determine if it is M1 or M2.

226 Blockwise Adaptive M3: for first block send an arbitrary b-bit bits, receive the ciphertext, C3[1] Generate the next b bits of M3 by XORing the first block from Cx, C3[1] and M1[2] Notation: X[i] = ith block of X

227 Blockwise Adaptive C3[2] = Cx[2] if Cx is the encryption of M1
M3[2] = Cx[1]  C3[1]  M1[2] M3[1] IV Cx[1]  M1[2] Ek Ek C3[1] C3[2] C3[2] = Cx[2] if Cx is the encryption of M1 C3[2] ≠ Cx[2] if Cx is the encryption of M2.

228 CTR Mode Creates key stream and XORs with plaintext
IV IV+1 IV+n-1 Ek Ek Ek P1 P2 Pn C1 C2 Cn Creates key stream and XORs with plaintext Need to avoid reusing key and IV+i value combination

229 OFB Mode Xj = leftmost x bits of the b bit output from the cipher
I1 bits x+1 to b In-1 bits x+1 to b X1 Xn-1 I1 = IV I2 In Ek Ek Ek discarded discarded discarded X1 X2 Xn P1 P2 Pn C1 C2 Cn Xj = leftmost x bits of the b bit output from the cipher Pj is x bits Ij = Ij-1 bits x+1 to b || Xj-1

230 CFB Mode Cipher outputs b bits, the rightmost b-x bits are discarded.
I1 bits x+1 to b In-1 bits x+1 to b C1 Cn-1 I1 = IV I2 In Ek Ek Ek x bits discarded discarded x bits x bits discarded P1 P2 Pn C1 C2 Cn Cipher outputs b bits, the rightmost b-x bits are discarded. Pj is x bits Ij = Ij-1 bits x+1 to b || Cj-1

231 Ciphertext Stealing Example using CBC mode Length preserving P1 P2
Pn-1 Pn || Y X IV Ek Ek Ek Ek C1 C2 Cn-1 Cn X || Y Length preserving Use bits from next to last block of ciphertext to pad last plaintext block

232 Disk Encryption Modes seen so far process block, move on
no backward diffusion can easily distinguish output from random by encrypting a few plaintexts ex. If P1 = P2 in first x blocks, encrypt with same key then first x blocks of ciphertext are identical Tweakable modes: narrow-block encryption modes: LRW, XEX, XTS wide-block encryption: CMC, EME designed to securely encrypt sectors of a disk

233 XEX Disk encryption: N = sector index I = i1i2…ik = block index
XTS is XEX-based Tweaked CodeBook mode (TCB) with CipherText Stealing (CTS)

234 CMC Mode P1 P2 P3 P4 T k G k G k G k G X1 X4 M M M M k k k k G G G G T
T = G(tweak) using key k, T = 0 if no tweak M = 2(X1  X4) Halevi and Rogaway

235 EME mode EME: ECB-mask-ECB Mask is different from that of CMC mode
CMC creates PRP/SPRP in theory on m blocks EME does not Flaw – authors stated in CMC paper not fixable Patented Used for disk encryption in practice

236 Chapter 6 Theoretical Constructions of Pseudorandom Objects

237 Pseudorandom RandomGenerator must simulate randomness by carrying out a deterministic process that satisfies the following criteria: The values generated by that process should be difficult for human observers to predict. Those values should appear to be random, in the sense that they should pass statistical test for randomness. Because the process is not truly random, the values generated by RandomGenerator are said to be pseudorandom

238 Pseudorandom number generator
Can be viewed as a black box that generates a sequence of values , , , ... The pseudorandom number generator generates seemingly random values by applying a function to the previous value. The starting point for this sequence of values is called the seed. Java initializes the seed for its pseudorandom number generator to a value based on the system clock, which changes very quickly on a human time scale.

239 Using the RandomGenerator class
Create a single shared instance of the class RandomGenerator import acm.util private RandomGenerator rgen = RandomGenerator.getInstance(); Notice the difference? Using new is not appropriate for RandomGenerator because there should be only one random generator in an application. What you want to do instead is to ask the RandomGenerator class for a common instance that can be shared throughout all classes in your program.

240 Class hierarchy The RandomGenerator class is actually implemented as a subclass of a class called Random. Some methods that you call to produce random values are defined in RandomGenerator class itself; others are inherited from the Random class. RandomGenerator class is defined in the package acm.util, which is part of the ACM Java Libraries. Random class is part of java.util package, which is a collection of general utility classes. When you use the RandomGenerator class, you do not need to import the java.util package (unless you use it for some other purpose).

241 Why new is not appropriate?
Computers run much faster than the internal clock can register. If you create two RandomGenerator instances in a single program, it is likely that both will be initialized with the same seed and therefore generate the same sequence of values. This fact explains why it is important to create only one RandomGenerator instance in an application.

242 Debugging and random behavior
Unpredictability often makes debugging extermely difficult. Because the program runs in a different way each time, there is no way to ensure that a bug that turns up the first you run a program will happen again the second time around. To get around this problem, it is often useful to have your programs run deterministically during the debugging phase. To do so, you can use: rgen.setSeed(1) This call sets the random number seed to 1 so that the internal random number sequence will always begin at the same point. The value 1 is arbitrary.

243 Using the RandomGenerator class
private RandomGenerator rgen = RandomGenerator.getInstance(); This declaration usually appears outside of any method and is therefore an example of an instance variable. The key word private indicates that this variable can be used from any method within this class but is not accessible to other classes.

244 Methods to generate random values
int nextInt(int low, int high) Returns a random int between low and high inclusive. int nextInt(int n) Returns a random int between 0 and n-1. double nextDouble(double low, double high) Returns a random double in the range [low, high] double nextDouble() Returns a random double in the range [0, 1.0) boolean nextBoolean() Returns a random boolean value, which is true 50% of the time boolean nextBoolean(double p) Returns a random boolean, which is true with probability p, where 0<=p<=1. Color ne xtColor() Returns a random color.

245 Call method Send a message to the generator in rgen(receiver) int die = rgen.nextInt(1, 6) Returns an integer between 1 and 6 inclusive. (Rolling a die) String coinFlip = rgen.nextBoolean() ? “Heads” : “Tails”; Returns “Heads” or “Tails” in equal probability. (Flipping a coin)

246 Exercises Set the variable total to the sum of two dice.
int d1 = rgen.nextInt(1, 6); int d2 = rgen.nextInt(1,6); int total = d1 + d2; What’s wrong with int total = rgen.nextInt(2,12)? Flip a weighted coin that comes up heads 60% of the time. String flip = rgen.nextBoolean(0.6) ? “Heads” : “Tails”; Fill color of rect to some randomly chosen color rect.setFillColor(rgen.nextColor())

247 Simulating the game of Craps
public void run() { int total = rollTwoDice(); if (total == 7 || total == 11) { println(“That’s a natural. You win.”); } else if (total == 2 || total == 3 || total == 12) { println(“That’s craps. You lose.”); } else { int point = total; println(“Your point is “ + point + “.”); while (true) . . . } Trace the program

248 rollTwoDice() method private int rollTwoDice() { int d1 = rgen.nextInt(1, 6); int d2 = rgen.nextInt(1, 6); int total = d1 + d2; println(“Rolling dice: “ + d1 + “ + “ + d2 + “ = “ + total); return total; }

249 The while loop while (true) { total = rollTwoDice(); if (total == point) { println(“You made your point. You win.”; break; } else if (total == 7) { println(“That’s a 7. You lose.”); }

250 The javadoc documentation system
Unlike earlier languages that appeared before WWW, Java was designed to operate in web-based environment. One of the most important ways in which Java works together with web is the design of its documentation system, called javadoc. The Javadoc application reads Java source files and generates documentation for each class. You can see the complete documentation for the ACM Java Libraries from

251 Sample javadoc pages acm.util Class RandomGenerator public class RandomGenerator extends Random This class implements a simple random number generator that allows clients to generate pseudorandom integers, doubles, booleans, and colors. To use it, the first step is to declare an instance variable to hold the random generator as follows: private RandomGenerator rgen = RandomGenerator.getInstance();

252 Sample javadoc pages Constructor Summary RandomGenerator() Create a new random generator. Method Summary RandomGenerator getInstance() Returns a RandomGenerator instance that boolean nextBoolean(double p) Returns a random boolean value with specified Inherited Mehod Summary boolean nextBoolean() Returns a random boolean that is true 50 percent of the time. double nextDouble() Returns a random double in [0, 1)

253 Sample javadoc pages Constructor Detail public RandomGenerator() Create a new random generator. Most clients will not use the constructor directly but will instead call getInstance to obtain a RandomGenerator object that is shared by all classes in the application. Usage: RandomGenerator rgen = new RandomGenerator(); Method Detail Returns a RandomGenerator instance that can be shared among several classes. Usage: RandomGenerator rgen = RandomGenerator.getInstance(); Returns: A shared RandomGenerator object

254 Writing javadoc comments
To make javadoc work with your own programs, you need to specially formatted comments to your code. A javadoc comment begins with /** and extends up to */ just as a regular comment does. The javadoc application reads through them to find the information it needs to create the documentation. Although javadoc comments may consists of simple text, they may also contain formatting information written in HTML used to create web pages. The javadoc comments also often tags to describe parameters and results.

255 An example of javadoc comments
The javadoc comment /** * Returns the next random integer between 0 and * <code>n</code>-1, inclusive. n The number of integers in the range A random integer between 0 and <code>n</code>-1 */ public int nextInt(int n) Produces the following entry in “Method Detail” section of the web page public int nextInt(int n) Returns the next random integer between 0 and n-1, inclusive Parameter: n The number of integers in the range Return: A random integer between 0 and n

256 Defining your own classes
Defining a class by extending an existing class public class name extends super { class body } name: The name of the new class. Must be the same as the name of the source file. super: The name of the super class. If the extends clause is missing, the new class becomes a direct subclass of Object, which is the root of Java’s class hierarchy. class body: A sequence of definitions that typically includes constructors, methods, named constants, and instance variables. Generally called entries.

257 Controlling access to entries
public: All classes in the program have access to any public entry. The public entries in a class are said to be exported by that class. private: Access to entries declared as private is limited to the class itself, making that entry completely invisible outside the class. protected: Protected entries are restricted to the class that defines them, along with any of its subclasses or any classes in the same package. (no keyword): If the access keyword is missing, the entry is visible only to classes in the same package. Such entries are called package-private. The text uses only public and private. All entries are marked as private unless there is a compelling reason to export them.

258 A student information system
Class definition public class Student { } No clause extends, it is a direct subclass of the Java built-in Object class. It is used to keep track of the following information The name of the student The student’s six-digit identification number The number of credits the student has earned (which may include a decimal fraction to account for half- and quater-credit courses) A flag indicating whether the student has paid all university fees

259 Private instance variables
Each of these values is stored in an instance variable of the appropriate type. private String studentName; private int studentID; private double creditsEarned = 0.0; private boolean paidUp = false; Vary from object to object, cannot be directly accessed by clients.

260 Constructor /** * Creates a new Student object with the specified name * and ID. name The student’s name as a String id The student’s ID number as an int */ public Student(String name, int id) { studentName = name; studentID = id; } Different names for the formal parameters and the instance variables.

261 Methods /** * Gets the name of this student.
The name of this student */ public String getName() { return studentName; } Clients can only reach names throught methods, cannot directly access studentName (private instance variable).

262 Methods /** * Sets whether the student is paid up. flag The value indicating paid-up status */ public void setPaidUp(boolean flag) { paidUp = flag; } * Returns whether the student is paid up. Whether the student is paid up public boolean isPaidUp() { return paidUp;

263 Overriding Overriding toString defined in Object class public String toString() { return studentName + “ (#” + studentID + “)”; } toString, which converts the value of an object into string, is used by println. The + operator automatically converts int to String. By redefining (overriding) toString, println can print the value of an object Student in more readable form, such as Hermione Granger (#314159)

264 Using the Student class
Once you have defined the Student class, you can then use its constructor to create instances of that class. For example, you could use the following code to create two Student objects Student choseOne = new Student(“Harry Potter”, ); Student topStudent = new Student(“Hermione Granger”, ); You can then use the standard receiver syntax to call methods on these objects. topStudent.setCredits(97); choseStudent.getName();

265 Rational numbers A more elaborate example of class definition.
Rational numbers can be useful in cases in which you need exact calculation with fractions. The floating-point 0.1 is not exactly represented internally (binary). The rational number 1/10 is exact (the quotient of two integers). Standard arithmetic operations: a/b + c/d = (ad + bc)/(bd) a/b – c/d = (ad – bc)/(bd) a/b * c/d = (ac)/(bd) (a/b) / (c/d) = (ad) / (bc)

266 Implementing the Rational class
Section 6.5, p. 198. Constructors are overloaded. No argument: initialize to 0; One argument: initialize to that integer; Two arguments: initialize to a fraction. Invariant properties (remain in force) The numerator and denominator are reduced to lowest terms; The denominator is positive. The add, subtract, multiply, and divide methods are written so that one of the operands is the receiver (signified by the key word this) and the other is passed as an argument. For example r1.add(r2) Immutable: Classes whose internal state cannot be changed by clients, even through method calls. (Private instance variables num and den.)

267 The Rational class constructor
/** * The Rational class is used to represent rational numbers, which * are defined to be the quotient of two integers. */ public class Rational { /** Creates a new Rational initialized to zero. */ public Rational() { this(0); } * Creates a new Rational from the integer argument. n The initial value public Rational(int n) { this(n, 1);

268 The Rational class constructor
/** * Creates a new Rational with the value x/y. x The numerator of the rational number y The denominator of the rational number */ public Rational(int x, int y) { int g = gcd(Math.abs(x), Math.abs(y) { num = x / g; den = Math.abs(y) / g; if (y < 0) num = -num; } /** Private instance variables */ private int num; /* The numerator of this Rational */ private int den; /* The denominator of this Rational */

269 The Rational add method
/** * Adds the rational number r to this one and returns the sum. r The rational number to be added The sum of the current number and r */ public Rational add(Rational r) { return new Rational(this.num * r.den + r.num * this.den, this.den * r.den); } Note: This method has access to the components of r.

270 Overriding toString /**
* Creates a string representation of this rational number. The string representation of this rational number */ public String toString() { if (den == 1) { return “” + num; else return num + “/” + den; } The + (concatenation) operator automatically converts int into String. When printing num (int), a forced + operator is introduced into “” + num to convert int into String.

271 The Rational class /** * Calculates the greatest common divisor using Euclid’s algorithm. x First integer y Second integer The greatest common divisor of x and y */ public int gcd(int x, int y) { int r = x % y; while (r != 0) { x = y; y = r; r = x % y; }

272 Simulating rational calculation
A simple program that adds three rational numbers: 1/2 + 1/3 + 1/6 public void run() { Rational a = new Rational(1, 2); Rational b = new Rational(1, 3); Rational c = new Rational(1, 6); Rational sum = a.add(b).add(c); println(a + “ = “ + b “ + “ + “ + “ c + “ = “ + sum); } Trace the program.

273 Extending existing classes
Extend an existing class to create a new class that inherits most of its behavior from its superclass but makes some small extensions or changes. Example: Define a new class called FilledRect that is similar to the Grect class, except that it is filled rather than outlined by default. It makes sense to pass color to the constructor. Calling add(new FilledRect(10, 10, 100, 75, Color.RED)); for example, should create a 100x75 rectangle solidly filled in red and then add it to the canvas at the position (10,10)

274 The FilledRect class /** * This class is a Gobject subclass that is almost identical to GRect except that * it starts out filled instead of outlined. */ public class FilledRect extends GRect { /** Create a new FilledRect with the specified bounds. */ public FilledRect(double x, double y, double width, double height) { super(x, y, width, height); setFilled(true); } /** Create a new FilledRect with the specified bounds and color. */ public FilledRect(double x, double y, double width, double height, Color color) { this(x, y, width, height); setColor(color);

275 Rules for inherited constructors
When creating an object of an extended class, Java must call some constructor for the superclass object to ensure that its structure is correctly initialized. If the superclass does not define any explicit constructors, Java automatically provides a default constructor with an empty body. Java invokes the superclass in one of the following ways: Classes that begin with an explicit call to this invoke one of the other constructors for this class, delegating responsibility to that constructor for making sure that the superclass constructor gets called. Classes that begin with a call to super invoke the constructor in the superclass that matches the argument list provided. Classes that begin with no call to either super or this invoke the default superclass constructor with no arguments.

276 Rules for inherited constructors
When one class extends another, the subclass is allowed to override method definitions in its superclass. Whenever you invoke that method on an instance of the extended class, Java chooses the new version of the method. The decision about which version of a method to use is always made on the basis of what the object in fact is. If you need to invoke the original version of a method, you need to use the keyword super as a receiver, for example, supper.init(), where init method is the original method specified by the superclass.

277 Programming guideline
Avoid writing the same code in more than one part of a program. Duplicated code often can lead to serious maintenance problems, since it is easy for a maintainer to change one copy of the code without updating the others. Be careful whenever you override a method in an existing class because your new definition can violate assumptions made by the original class. As a general rule, it makes sense to override methods only when the documentation for those methods specifically invites you to do so. (For example, toString in Object class.)

278 Chapter 7 Number Theory and Cryptographic Hardness Assumptions

279 Private key cryptography
The function and/or key to encrypt/decrypt is a secret (Hopefully) only known to the sender and recipient The same key encrypts and decrypts How do you get the key to the recipient?

280 Public key cryptography
Everybody has a key that encrypts and a separate key that decrypts They are not interchangable! The encryption key is made public The decryption key is kept private

281 Public key cryptography goals
Key generation should be relatively easy Encryption should be easy Decryption should be easy With the right key! Cracking should be very hard

282 Is that number prime? Use the Fermat primality test Given:
n: the number to test for primality k: the number of times to test (the certainty) The algorithm is: repeat k times: pick a randomly in the range [1, n−1] if an−1 mod n ≠ 1 then return composite return probably prime

283 Is that number prime? The algorithm is: repeat k times:
pick a randomly in the range [1, n−1] if an−1 mod n ≠ 1 then return composite return probably prime Let n = 105 Iteration 1: a = 92: mod 105 = 1 Iteration 2: a = 84: mod 105 = 21 Therefore, 105 is composite

284 Is that number prime? The algorithm is: repeat k times:
pick a randomly in the range [1, n−1] if an−1 mod n ≠ 1 then return composite return probably prime Let n = 101 Iteration 1: a = 55: mod 101 = 1 Iteration 2: a = 60: mod 101 = 1 Iteration 3: a = 14: mod 101 = 1 Iteration 4: a = 73: mod 101 = 1 At this point, 101 has a (½)4 = 1/16 chance of still being composite

285 More on the Fermat primality test
Each iteration halves the probability that the number is a composite Probability = (½)k If k = 100, probability it’s a composite is (½)100 = 1 in 1.2  1030 that the number is composite Greater chance of having a hardware error! Thus, k = 100 is a good value However, this is not certain! There are known numbers that are composite but will always report prime by this test Source:

286 Google’s recruitment campaign

287 RSA Stands for the inventors: Ron Rivest, Adi Shamir and Len Adleman
Three parts: Key generation Encrypting a message Decrypting a message

288 Key generation steps Choose two random large prime numbers p ≠ q, and n = p*q Choose an integer 1 < e < n which is relatively prime to (p-1)(q-1) Compute d such that d * e ≡ 1 (mod (p-1)(q-1)) Rephrased: d*e mod (p-1)(q-1) = 1 Destroy all records of p and q

289 Key generation, step 1 Choose two random large prime numbers p ≠ q
In reality, 2048 bit numbers are recommended That’s  617 digits From last lecture: chance of a random odd 2048 bit number being prime is about 1/710 We can compute if a number is prime relatively quickly via the Fermat primality test We choose p = 107 and q = 97 Compute n = p*q n = 10379

290 Key generation, step 1 Java code to find a big prime number:
BigInteger prime = new BigInteger (numBits, certainty, random); The number of bits of the prime Certainty that the number is a prime The random number generator

291 Key generation, step 1 Java code to find a big prime number:
import java.math.*; import java.util.*; class BigPrime { static int numDigits = 617; static int certainty = 100; static final double LOG_2 = Math.log(10)/Math.log(2); static int numBits = (int) (numDigits * LOG_2); public static void main (String args[]) { Random random = new Random(); BigInteger prime = new BigInteger (numBits, certainty, random); System.out.println (prime); }

292 Key generation, step 1 How long does this take?
Keep in mind this is Java! These tests done on a 850 Mhz Pentium machine Average of 100 trials (certainty = 100) 200 digits (664 bits): about 1.5 seconds 617 digits (2048 bits): about 75 seconds

293 End of lecture on 23 March 2007 In the later class; the earlier class did the next 3 slides

294 Key generation, step 1 Practical considerations
p and q should not be too close together (p-1) and (q-1) should not have small prime factors Use a good random number generator

295 Key generation, step 2 Choose an integer 1 < e < n which is relatively prime to (p-1)(q-1) There are algorithms to do this efficiently We aren’t going over them in this course Easy way to do this: make e be a prime number It only has to be relatively prime to (p-1)(q-1), but can be fully prime

296 Key generation, step 2 Recall that p = 107 and q = 97
(p-1)(q-1) = 106*96 = = 26*3*53 We choose e = 85 85 = 5*17 gcd (85, 10176) = 1 Thus, 85 and are relatively prime

297 Key generation, step 3 Compute d such that: d * e ≡ 1 (mod (p-1)(q-1))
Rephrased: d*e mod (p-1)(q-1) = 1 There are algorithms to do this efficiently We aren’t going over them in this course We choose d = 4669 4669*85 mod = 1 Use the script at

298 Key generation, step 3 Java code to find d: import java.math.*;
class FindD { public static void main (String args[]) { BigInteger pq = new BigInteger("10176"); BigInteger e = new BigInteger ("85"); System.out.println (e.modInverse(pq)); } Result: 4669

299 Key generation, step 4 Destroy all records of p and q
If we know p and q, then we can compute the private encryption key from the public decryption key d * e ≡ 1 (mod (p-1)(q-1))

300 The keys We have n = p*q = 10379, e = 85, and d = 4669
The public key is (n,e) = (10379, 85) The private key is (n,d) = (10379, 4669) Thus, n is not private Only d is private In reality, d and e are 600 (or so) digit numbers Thus n is a 1200 (or so) digit number

301 Encrypting messages To encode a message:
Encode the message m into a number Split the number into smaller numbers m < n Use the formula c = me mod n c is the ciphertext, and m is the message Java code to do the last step: m.modPow (e, n) Where the object m is the BigInteger to encrypt

302 Encrypting messages example
Encode the message into a number String is “Go Cavaliers!!” Modified ASCII codes: Split the number into numbers < n Recall that n = 10379 Use the formula c = me mod n mod = 4501 mod = 2867 mod = 4894 Etc… Encrypted message:

303 Encrypting RSA messages
Formula is c = me mod n

304 Decrypting messages Use the formula m = cd mod n on each number
Split the number into individual ASCII character numbers Decode the message into a string

305 Decrypting messages example
Encrypted message: Use the formula m = cd mod n on each number mod = 4181 mod = 0237 mod = 6788 Etc… Split the numbers into individual characters Decode the message into a string Modified ASCII codes: Retrieved String is “Go Cavaliers!!”

306 modPow computation How to compute c = me mod n or m = cd mod n?
Example: mod = 4181 Use the script at Other means: Java: use the BigInteger.modPow() method Perl: use the bmodpow function in the BigInt library Etc…

307 Why this works m = cd mod n c = me mod n cd ≡ (me)d ≡ med (mod n)
Recall that: ed ≡ 1 (mod p-1) ed ≡ 1 (mod q-1) Thus, med ≡ m (mod p) med ≡ m (mod q) med ≡ m (mod pq) med ≡ m (mod n)

308 Cracking a message In order to decrypt a message, we must compute m = cd mod n n is known (part of the public key) c is known (the ciphertext) e is known (the encryption key) Thus, we must compute d with no other information Recall: choose an integer 1 < e < n which is relatively prime to (p-1)(q-1) Recall: Compute d such that: d*e mod (p-1)(q-1) = 1 Thus, we must factor the composite n into it’s component primes There is no efficient way to do this! We can, very easily, tell that n is composite, but we can’t tell what its factors are Once n is factored into p and q, we compute d as above Then we can decrypt c to obtain m

309 Cracking a message example
In order to decrypt a message, we must compute m = cd mod n n = 10379 c is the ciphertext being cracked e = 85 In order to determine d, we need to factor n d*e mod (p-1)(q-1) = 1 We factor n into p and q: 97 and 107 This would not have been feasible with two large prime factors!!! d * 85 (mod (96)(106)) = 1 We then compute d as above, and crack the message

310 Signing a message Recall that we computed: d*e mod (p-1)(q-1) = 1
Note that d and e are interchangable! You can use either for the encryption key You can encrypt with either key! Thus, you must use the other key to decrypt

311 Signing a message To “sign” a message:
Write a message, and determine the MD5 hash Encrypt the hash with your private (encryption) key Anybody can verify that you created the message because ONLY the public (encryption) key can decrypt the hash The hash is then verified against the message

312 PGP and GnuPG Two applications which implement the RSA algorithm
GnuPG Is open-source (thus it’s free) PGP was first, and written by Phil Zimmerman The US gov’t didn’t like PGP…

313 The US gov’t and war munitions

314 How to “crack” PGP Factoring n is not feasible
Thus, “cracking” PGP is done by other means Intercepting the private key “Hacking” into the computer, stealing the computer, etc. Man-in-the-middle attack (next 2 slides) Etc.

315 Man-in-the-middle attack: “Normal” RSA communication
What is your public key? My public key is 12345… What is your public key? My public key is 67890… Here’s message encrypted with 12345… Here’s a response encrypted with 67890…

316 What is your public key? What is your public key? My public key is 12345… My public key is abcde… What is your public key? What is your public key? Black has the private decryption key for abcde… My public key is 67890… My public key is vwxyz… Here’s message encrypted w/ abcde… Black has the private decryption key for vwxyz… Decrypts message with corresponding private key to abcde…; re-encrypts message with blue’s public key (12345…) Here’s message encrypted w/ 12345… Here’s response encrypted w /vwxyz… Decrypts message with corresponding private key to vwxyz…; re-encrypts message with yellow’s public key (67890…) Here’s response encrypted w/ 67890…

317 Other public key encryption methods
Modular logarithms Developed by the US government, therefore not widely trusted Elliptic curves

318 Quantum computers A quantum computer could (in principle) factor n in reasonable time This would make RSA obsolete! Shown (in principle) by Peter Shor in 1993 You would need a new (quantum) encryption algorithm to encrypt your messages This is like saying, “in principle, you could program a computer to correctly predict the weather” A few years ago, IBM created a quantum computer that successfully factored 15 into 3 and 5 I bet the NSA is working on such a computer, also

319 Chapter 8 Factoring and Computing Discrete Logarithms

320 Discrete Logarithm(s) (DLs)
Fix a prime p. Let a, b be nonzero integers (mod p). The problem of finding x such that ax ≡ b (mod p) is called the discrete logarithm problem. Suppose that n is the smallest integer such that an ≡1 (mod p), i.e., n=ordp(a). By assuming 0≤x<n, we denote x=La(b), and call it the discrete log of b w.r.t. a (mod p) Ex: p=11, a=2, b=9, then x=L2(9)=6

321 Discrete Logarithms In the RSA algorithms, the difficulty of factoring a large integer yields good cryptosystems In the ElGamal method, the difficulty of solving the discrete logarithm problem yields good cryptosystems Given p, a, b, solve ax ≡ b (mod p) a is suggested to be a primitive root mod p

322 One-Way Function A function f(x) is called a one-way function if f(x) is easy to compute, but, given y, it is computationally infeasible to find x with y=f(x). La(b) is a one-way function if p is large

323 Primitive Roots mod 13 a is a primitive root mod p if
{ak | 1≦k≦p-1} = {1,2, …,p-1} ♪ 2, 6,7,11 are primitive roots mod 13 33 ≡ 1 (mod 13), ≡ 1 (mod 13), 54 ≡ 1 (mod 13), ≡ 1 (mod 13), 93 ≡ 1 (mod 13), ≡ 1 (mod 13), 122 ≡ 1 (mod 13)

324 Solve ax ≡ b (mod p) An exhaustive search for all 0 ≤ x < p
Check only for even x or odd x according to b(p-1)/2 ≡ (ax)(p-1)/2 ≡(a(p-1)/2)x ≡(-1)x≡ 1 or -1 (mod p), where a is a primitive root (Ex) p=11, a=2, b=9, since b(p-1)/2 ≡95≡1, then check for even numbers {0,2,4,6,8,10} only to find x=6 such that 26 ≡ 9 (mod 11)

325 Solve ax ≡ b (mod p) by Pohlig-Hellman
Let p-1 = Πqr for all q|(p-1), write b0 =b,and x=x0 + x1q +x2q2 + … + xr-1qr-1 for 0 ≤ xi ≤ q-1 1. Find 0≤ k ≤q-1 such that (a(p-1)/q)k≡b(p-1)/q , then x0 ≡k, next let b1≡b0a-x0 2. Find 0≤ k ≤q-1 such that (a(p-1)/q)k≡[b1](p-1)/q^2 , then x1 ≡k, next let b2≡b1a-x1 3. Repeat steps 1, 2 until xr-1 is found for a q 4. Repeat steps 1~3 for all q’s, then apply Chinese Remainder Theorem to get the final solution

326 7x ≡12 (mod 41); p=41, a=7, b=12, p-1=41-1=40 =23 5 b0 =12
For q=2: b0 =12, b1 =31, b2=31, and x = x0 +2x1+4x2 ≡1+2·0+4·1≡ 5 (mod 8) For q=5: b0 =12, b1 =18, and x = x0 ≡ 3 (mod 5) Solving x ≡ 5 (mod 8) and x≡ 3 (mod 5), We have x≡13 (mod 40)

327 Solve ax ≡ b (mod p) by Index Calculus
Let B be a bound and let p1,p2,…, pm be the primes less than B and cover all of the prime Factors of p-1. Then appropriately choose k(j)’s such that ak(j)≡(p1)r1(p2)r2 … (pm)rm , i.e., r1*La(p1)+r2*La(p2)+… + rm*La(pm) ≡k(j) for several j’s, solve the linear system to get La(p1), La(p2), … , La(pm), then select R apply baR ≡(p1)b1 (p2)b2 … (pm)bm , then the solution is La(b)≡-R+ΠbiLa(pi)

328 Solve 2x ≡37 (mod 131) p=131, a=2, b=37, let B=10, then
p1=2, p2=3, p3=5, p4=7, since 28≡53 , 212≡5·7 , 214≡32 , 234≡3·52 (mod p), we have 3L2(5)≡ 8 (mod 130) L2(5)+ L2(7)≡12 (mod 130) 2L2(3)≡14 (mod 130) L2(3)+2L2(5)≡34 (mod 130)

329 L2([3, 5, 7])=[72, 46, 96] Choose R=43, then
37·243 ≡3·5·7 (mod 131), so we have L2(37) ≡-43+ L2(3)+ L2(5)+ L2(7) ≡ 41 (mod 130) ♪ L2(11) ≡ 56 (mod 130) [R=4] ♪ L2(23) ≡ 23 (mod 130) [R=5]

330 A Lemma on p≡3 (mod 4) Let p≡3 (mod 4), r≥2. Suppose a and g are
nonzero integers such that g≡ay(2^r) (mod p). Then g(p+1)/4 ≡ ay[2^(r-1)] (mod p) [Proof] g(p+1)/4 ≡ a(p+1)y[2^(r-2)] ≡ay(2^(r-1))[a(p-1)]y(2^(r-2)) ≡ ay(2^(r-1)) (mod p)

331 A La(b) (mod 4) Machine Let a be a primitive root (mod p), where
p≡3 (mod 4) is large, then Computing La(b) (mod 4) is as difficult as finding the solution of ax ≡ b (mod p) [P.172]

332 The ElGamal Public Key Cryptosystem
Alice wants to send a message m to Bob. Bob chooses a large prime p and a primitive root a. Assume m is an integer 0≤m<p, and Bob selects a secret integer x to compute b≡ax (mod p). The information (p,a,b) is made public and is Bob’s public key. Alice does the following procedures.

333 Encryption and Decryption
Downloads (p,a,b) Chooses a secret random k and computes r≡ak (mod p) Computes t≡bkm (mod p) Sends the pair (t,r) to Bob Bob decrypts by computing tr-x (≡m (mod p))

334 Chapter 9 Private-Key Management and the Public-Key Revolution

335 Limitations of Private-Key Cryptography

336 Merkle Puzzles (Key Exchange W/O TTP)

337 The Setting and Definition of Security

338 Needham-Schroeder Protocol

339 Public-Key Revolution

340 Diffie-Hellman Key-Exchange Protocol

341 Triparties Key Exchange

342 Chapter 10 Additional Public-Key Encryption Schemes

343 Introduction Background Info Stream Ciphers Private-key Methods
Public-key Methods Block Ciphers Types of Attacks

344 Constructions of Secure Encryption Schemes
Key ideas: Using any pseudorandom function, one can construct secure private-key encryption schemes Using any trapdoor one-way permutation, one can construct secure public-key encryption schemes Secure schemes must employ a probabilistic (randomized) encryption algorithm so that one cannot distinguish two encryptions of the same message

345 Stream Ciphers Typically there are less Stream Ciphers in use than Block Ciphers Difficult to use correctly Basis: Pseudorandom Generators Keys States XOR

346 Stream Ciphers Basic Construction: Key-generation/Initial State
Uniformly select R (random number) and generate key pair (r,r) and set initial state to t=0 Encrypting Plaintext Encrypt plaintext x with key r and state t such that l=|x| and p is the l-bit suffix of the encryption algorithm with input r and 1^(t+l) so that ciphertext is x Å p, and new state is t+l Decrypting Ciphertext Decrypt ciphertext y with key r and state t such that l=|y| and p is the l-bit suffix again so that the plaintext is y Å p

347 Stream Ciphers Why are they so hard to use? Must never reuse a key
If key is reused, same stream of output generated Must keep track of states Must always depend on other things: Some way to agree on keys Authentication Synchronization

348 Stream Ciphers Some examples: A5 RC4 SOBER WAKE SEAL Panama

349 Private-key Methods Basic Construction:
Block Cipher with length n for message x Generate key by selecting seed s and applying function fs Encryption algorithm selects a uniform string r and produces ciphertext (r,xÅfs(r)) Decrypt ciphertext (r,y) using key s by computing yÅfs(r)

350 Public-key Methods Basic Construction:
Key generation selects a random permutation p from a collection of trapdoor permutations, along with a trapdoor t (p serves as the public-key and t serves as the private-key) When encrypting a bit b, the encryption algorithm randomly selects an element r in the domain of p and produces ciphertext (p(r),bÅr)

351 Public-key Methods Decrypting occurs by taking ciphertext (y, s) and computing the inverse using t or sÅr(p-1(y)) The security of the scheme follows from the one-way feature of the collection p

352 Block Ciphers Basis: Take blocks of input and encrypt entire block
Reusable keys Different modes Keep in mind potential problem areas: Block padding Initialization vectors Codebook attacks, use the right modes

353 Block Ciphers Modes of Operation: Different characteristics
Error propagation Resynchronization Block resolution Efficiency Increase in data size 4 Modes defined in Federal Information Processing Standards

354 Block Ciphers Electronic Code Book – separately encrypt each block, patterns recognizable, “codebook” can be built up Cipher Block Chaining – XOR plaintext with previous ciphertext block, then encrypt, use initialization vector for first block, makes identical inputs look different

355 Block Ciphers Ciphertext Feedback – take previous ciphertext, encrypt, then XOR with plaintext Output Feedback – encrypt previous output, then XOR with plaintext to get ciphertext, uses counters to determine where to take from output

356 Block Ciphers Basic Construction: Generate key pair Encrypt plaintext
Break message into consecutive blocks of length l (possibly have to augment the last block with some padding) Encrypt each block with encryption key r Decrypt ciphertext Decrypt each block with decryption key d and concatenate blocks less padding to get plaintext

357 Block Ciphers The Basic Construction results in ciphertexts that reveal the exact length of the original plaintext This is acceptable and completely hiding the length is futile Encryption schemes that hide some information about the length of the plaintext can easily be constructed

358 Block Ciphers Some examples: DES Blowfish IDEA SAFER CAST
AES (Rijndael)

359 Block Ciphers - AES Advanced Encryption Standard
National Institute of Standards and Technology search for standard replacement for DES Requirements: 128 bit blocksize 128, 192, 256 bit keys Finalists announced in August 1999

360 Block Ciphers - AES Serpent Rijndael Twofish Mars RC6 Winner: Rijndael

361 Block Ciphers - AES Joan Daemen and Vincent Rijmen (Belgium)
Based on an algorithm called Square Supports keys which are multiples of 32 bits and block sizes which are multiples of 64 bits Number of rounds changes based on key size Generally faster than the other candidates

362 Block Ciphers - AES Key Schedule for Rijndael:
Expand cipher key (varies depending on key length, uses linear recurrence relations) Round keys are taken from the expanded cipher key Round keys are then rotated, passed through the S-box, and XOR’d with a round dependent constant (constants based on similar computation to S-box)

363 Block Ciphers - AES Variable rounds:
9 if both block and key are 128 bits 11 if either block or key is 192 bits and neither are longer than that 13 if either block or key is 256 bits etc

364 Block Ciphers - AES Using Rijndael:
Perform Add Round Key Step (XOR a subkey with the block) Perform rounds: Byte Sub (each byte of the block is replaced by its substitute from an S-box) Shift Row Bytes are arranged in a rectangle and shifted, ex. from to

365 Block Ciphers - AES The S-box is: 99 124 119 123 242 107 111 197

366 Block Ciphers - AES Mix Column
Matrix multiplication performed where each column is multiplied by: Add round key (XOR subkey for current round) An extra final round is added where the mix column step is omitted

367 Block Ciphers - AES

368 Block Ciphers - AES

369 Types of Attacks Passive Attacks
Adversary eavesdrops on the line and possibly gets the sender to encrypt a message of the adversary’s choice and/or gets the sender to decrypt a ciphertext of the adversary’s choice Key-oblivious: choice of plaintext does not depend on the key Key-dependent: choice of plaintext does depend on the key

370 Types of Attacks Chosen Plaintext Attacks
Attacker obtains the encryption of any plaintext of its choice (under the key being attacked) Chosen Ciphertext Attacks Attacker obtains the decryption of any ciphertext of its choice (under the key being attacked)

371 Chapter 11 Digital Signature Schemes

372 Introduction Cryptography – art & science of preventing users from unauthorized or illegal actions towards information, networking resources and services. Cryptographic transformation – conversion of input data into output data using a cryptographic key. Cryptosystem – forward and inverse cryptographic transformation pair

373 A Cryptosystem Forward Cryptographic Transformation
Inverse Cryptographic Transformation Key Output data Input data Sender Receiver Input data

374 Types of Cryptosystems
Private key cryptosystem – a private key is shared between the two communicating parties which must be kept secret between themselves. Public key cryptosystem – the sender and receiver do not share the same key and one key can be public and the other can be private

375 Types of Cryptosystems
Forward Cryptographic Transformation Inverse Cryptographic Transformation Key Output data Input data Sender Receiver Share private key A Private Key Cryptosystem

376 Types of Cryptosystems
Sender Receiver Output data Input data Input data Forward Cryptographic Transformation Inverse Cryptographic Transformation 1st Key 2nd Key Do not share the same key information and one key may be public A Public Key Cryptosystem

377 Digital Signatures Encryption, message authentication and digital signatures are all tools of modern cryptography. A signature is a technique for non-repudiation based on the public key cryptography. The creator of a message can attach a code, the signature, which guarantees the source and integrity of the message.

378 Properties of Signatures
Similar to handwritten signatures, digital signatures must fulfill the following: Must not be forgeable Recipients must be able to verify them Signers must not be able to repudiate them later In addition, digital signatures cannot be constant and must be a function of the entire document it signs

379 Types of Signatures Direct digital signature – involves only the communicating parties Assumed that receiver knows public key of sender. Signature may be formed by (1) encrypting entire message with sender’s private key or (2) encrypting hash code of message with sender’s private key. Further encryption of entire message + signature with receiver’s public key or shared private key ensures confidentiality.

380 Types of Signatures Problems with direct signatures:
Validity of scheme depends on the security of the sender’s private key  sender may later deny sending a certain message. Private key may actually be stolen from X at time T, so timestamp may not help.

381 Types of Signatures Arbitrated digital signature – involves a trusted third party or arbiter Every signed message from sender, X, to receiver, Y, goes to an arbiter, A, first. A subjects message + signature to number of tests to check origin & content A dates the message and sends it to Y with indication that it has been verified to its satisfaction

382 Basic Mechanism of Signature Schemes
A key generation algorithm to randomly select a public key pair. A signature algorithm that takes message + private key as input and generates a signature for the message as output A signature verification algorithm that takes signature + public key as input and generates information bit according to whether signature is consistent as output.

383 Digital Signature Standards
NIST FIPS 186 Digital Signature Standard (DSS) El Gamal RSA Digital Signature - ISO ANSI X CCITT X.509

384 DSS Public-key technique.
User applies the Secure Hash Algorithm (SHA) to the message to produce message digest. User’s private key is applied to message digest using DSA to generate signature.

385 Global Public-Key Components User’s Per-Message Secret Number
A prime number of L bits where L is a multiple of 64 and 512  L  1024 q A 160-bit prime factor of p-1 g = h(p-1)/q mod p, where h is any integer with 1<h< p-1, such that (h(p-1)/q mod p)>1 User’s Private Key x A random or pseudorandom integer with 0<x<q User’s Public Key y = gx mod p User’s Per-Message Secret Number k A random or pseudorandom integer with 0<k<q Signing r = (gk mod p) mod q s = [k-1 (H(M) = xr)] mod q Signature = (r, s) Verifying w = (s’)-1 mod q u1 = [H(M’)w] mod q u2 = (r’)w mod q v = [(gu1yu2) mod p] mod q Test: v = r’ The Digital Signature Algorithm (DSA)

386 DSS DSA - M = message to be signed - H(M) = hash of M using SHA - M’, r’, s’ = received versions of M, r, s

387 El Gamal Signature Scheme
A variant of the DSA. Based on the assumption that computing discrete logarithms over a finite field with a large prime is difficult. Assumes that it is computationally infeasible for anyone other than signer to find a message M and an integer pair (r, s) such that aM = yrrs(mod p).

388 El Gamal Signature Scheme
Parameters of El Gamal p A large prime number such that p-1 has a large prime factor x The private key information of a user where x<p a A primitive element of the finite field for the prime p y = ax mod p (p,a,y) The public key information

389 El Gamal Signature Scheme
Step 1 Randomly choose an integer k such that (k, p-1) = 1, 1<k<p-1, and k has not been used to sign a previous message Step 2 Calculate r = ak (mod p) Step 3 Find s such that M = xr + ks (mod (p-1)) Step 4 Collect the pair (r, s) as the digital signature on the message M Since, M = xr + ks (mod (p-1))  aM = a(xr+ks) = axraks = yrrs(mod p) Given M and (r, s), the receiver or 3rd party can verify the signature by checking whether aM = yrrs(mod p) holds or not.

390 RSA Digital Signature Scheme
Based on the difficulty of factoring large numbers. Given M, RSA digital signature can be produced by encrypting either M itself or a digest of M using the private signature key s. Signature, S = ws mod n, where w is message to be signed or message digest and n = pq (p and q are large primes). Verification: w = Sv mod n, where (v, n) is the public verification key.

391 Digital signatures are an effective mechanism used for authenticity and non-repudiation of messages.
Several signature schemes exist, but DSS is probably the most popular. Digital signatures may be expanded to be used as digital pseudonyms which would prevent authorities from figuring out a sender’s identity, for example by cross-matching

392 Chapter 12 Public-Key Cryptosystems in the Random Oracle Model

393 Introduction Cryptographic theory has provided a potentially invaluable notion for cryptographic practice: the idea of provable security. Unfortunately, theoretical work often gains provable security only at the cost of effciency. Schemes like standard RSA are efficient but not provably secured. There are schemes who are provably secured but are not efficient. However, there are encryption schemes, for eg. El Gamal encryption, which are efficient and secured at the same time. There is a need to construct more encryption schemes which are provably secure, but also efficient.One of the approach use is through Random Oracles.

394 Random Oracle 2.1 Random Oracle Model
A Random Oracle is a theoretical black box that responds to every query with a (truly) random response chosen uniformly from its output domain, except that for any specific query, it responds the same way every time it receives that query i.e a random oracle is a mathematical function mapping every possible query to a random response from its output domain. Random Oracle Model The Random Oracle Model (ROM) was first formalised by Bellare and Rogaway. In the random oracle model, one assumes that some hash function is replaced by a publicly accessible random function (the random oracle).

395 This means that the adversary cannot compute the result of the hash function by himself, he must query the random oracle. The random oracle model has been used to prove the security of numerous cryptosystems, and it has lead to simple and efficient designs that are widely used in practice. However, a proof in the random oracle model is not fully satisfactory, because such a proof does not imply that the scheme will remain secure when the random oracle is replaced by a concrete hash function (such as SHA-1). However, using a scheme that is proved in the Random Oracle model is better than no proof. However if at the slight cost of efficiency, we have a cryptosystem with a proof in the standard model (like that of the ElGamal encryption), then that is preferred.

396 Random Oracle Methodology
The Random Oracle Model, a popular methodology for designing crypto- graphic protocols consists of the following two steps. One first designs an ideal system in which all parties (including the adversary) have oracle access to a truly random function, and proves the security of this ideal system. Next, one replaces the random oracle by a good cryptographic hashing function (such as MD5 or SHA), providing all parties (including the adversary) with the succinct description of this function. Thus, one obtains an implementation of the ideal system in a “real-world” where random oracles do not exist.

397 Proof Technique We assume that if an adversary A, has not queried for some point x, then H(x) is completely random. We then try and construct a reduction, showing that if A is able to break the encryption scheme using the Random Oracle, then it can be used to break our standard cryptographic assumption. The reduction may choose value for the output of the Random Oracle and return to A. Also, it knows all the queries made to the Random Oracle.

398 Example Consider a RSA based scheme, public key: [N, e] secret key: d
Plaintext: m ∈ {0, 1} Enc: < [remodN, m ⊕ H(r)] > If the RSA problem is hard and H is modeled as a Random Oracle, the construction has IND secured encryptions under CPA. Let A be a PPT, we define: s(n) = Pr[PubKeav (n) = 1] where PubKeav (n) is defined as follows

399 A random function H is chosen.
Generate < N, e, d >. A is given pk =< N, e > and may query H(.). Eventually A outputs two messages, m0, m1 ← {0, 1}l(n) A random bit b ← {0, 1} and a random r ← Z∗ are chosen. A is given the ciphertext, < [remodN, H(r) ⊕ mb] > . The adversary can still query H(.). 4. Finally, A outputs bt. PubKeav (n) returns 1, if b = bt. Else 0 is returned. We Define Query to be the event that at any point A queries r to the RO (where r is the value used to generate the challenge, c). Pr[success] = Pr[success ∧ Query] + Pr[success ∧ Query] ≤ Pr[sucess|Query] + Pr[Query]

400 Claim 1: Pr[success|Query] ≤ 1/2 Claim 2: Pr[Query] is negligible
Claim 1 follows from the fact that if A does not query for r, then H(r) is random, and so A has no way to understand whether m0 or m1 was encrypted. For Claim 2 Construct a reduction D, which takes as input c1 = remodN and has to output r (i.e break RSA). It generates randomly c2 ∈ {0, 1}l(n) and sends to A. A makes some queries to H, ri.D observes the queries and checks if i modN = c1.Whenever there is a match, thus RSA is broken. So, the Pr[Query] must be negligible,under the standard RSA assumption.

401 3 Preliminaries NOTATION, {0, 1}n denotes the space of finite binary strings and {0, 1}inf ty denotes the space of infnite ones. Strings are finite unless we say otherwise. We denote by a||b, or just ab, the string which is the concatenation of strings a and b. The empty string is denoted . A polynomial time algorithm is one which runs in time polynomial in its first argument. PPT stands for ” probabilistic, polynomial time.”A function s(k) is negligible if for every c there exists a kc such that s(k) ≤ k−c for every k ≥ kc . A function is said to be non-negligible if it is not negligible. We’ll use the notation ”k−ω(1) ” to mean the class negligible functions or a particular anonymous function in this class.

402 Notation for probabilistic algorithms, spaces and experiments follows
Notation for probabilistic algorithms, spaces and experiments follows. If A is a probabilistic algorithm then, for any inputs x, y, .... the notation A(x, y, ....) refers to the probability space which to the string assigns the probability that A, on input x, y, .... ,outputs σ . If S is a probability space we denote its sup- port (the set of elements of positive probability) by [S] . If S is a probability space then x ← S denotes the algorithm which assigns to x an element randomly selected according to S . In the case that S consists of only one element e we might also write x ← e. For probability spaces S, T, ...., the notation Pr[x ← S; y ← T ; .... : p(x, y, ....)] denotes the probability that the predicate p(x, y, ....) is true after the ( ordered ) execution of the algorithms x ← S, y ← T , etc. Let f be a function. We extend this notation to de- fine also probability spaces and algorithms via experiments.

403 For example {x ← S; y ← T ; .... : f (x, y, ....)} denotes the probability space which to the string σ assigns the probability Pr[x ← S; y ← T ; .... : σ = f (x, y, ....)] And < a, b, .... : x ← S; y ← T ; .... : f (a, b, ...., x, y, ....) > denotes the algorithm which on inputs a, b, .... runs the sequence of experiments x ← S, y ← T, ...., and outputs f (a, b, ...., x, y, ....). ORACLES , For convenience, a random oracle R is a map from {0, 1}∗ to {0, 1}∞ chosen by selecting each bit of R(x) uniformly and independently, for every x. Of course no actual protocol uses an infinitely long output, this just saves us from having to say how long ”sufficiently long” is. We denote by 2∞ the set of all random oracles.

404 The letter ”R” will denote the ”generic” random oracle, while G : {0, 1}∗ ←{0, 1}∞ will denote a random generator and H : {0, 1}∗ ← {0, 1}k a random hash function. Whenever there are multiple oracles mentioned, all of these are independently selected. Via all sorts of natural encodings, a single random oracle R can be used to provide as many independent random oracles as one wants.As usual the oracles provided to an algorithm are indicated by superscripts. Sometimes the oracle is understood and omitted from the notation. Trapdoor Permutations. A trapdoor permutation generator is a PPT algorithm G∗ which on input 1 outputs (the encoding of) a triple of algorithms (f, f−1, d). The rest two are deterministic and the last is probabilistic.

405 We require that [d(1k )] be a subset of {0, 1} and that f, f
We require that [d(1k )] be a subset of {0, 1} and that f, f be permutations on [d(1k )] which are inverses of one another. We require that there exist a polynomial p such that f, f−1 and d are computable in time p(k), and that for all nonuniform polynomial time adversaries M , is negligible. s(k) = Pr[(f, f, d) ← G (1 ); x ← d(1 ); y ← f (x) : M (f, d, y) = x RSA 38 is a good example of trapdoor permutation. Call a trap door permutation generator G∗ uniform if for all k and all (f, f− , d) ∈ [G(1 k )] it is the case that d is the uniform distribution on {0; 1}k .

406 We extend the notion of public key encryption to the random oracle model. The scheme is specified by a PPT generator G which takes a security parameter 1k and outputs a pair of probabilistic algorithms (E, D) which are called the encryption and decryption algorithms respectively and which run in time bounded by Gts time complexity. A user U runs G to get (E, D) and makes the former public while keeping the latter secret. To encrypt message x anyone can compute y ← ER(x) and send it to U ; to de- crypt ciphertext y user U computes x ← DR(y). We require DR(ER(x)) = x for all x and assume for simplicity that DR(y) = 0 if y is not the encryption under ER of any string x.

407 4 Security in the Random Oracle Model
Definition. We adapt the notion of polynomial security to the random oracle model. A CP-adversary (chosen-plaintext adversary) A is a pair of nonuniform polynomial time algorithms (F ; A1), each with access to an oracle. For an encryption scheme G to be secure in the random oracle model we require that for any CP-adversary A = (F, A1), Pr[R ← 2∞; (E, D) ← G(1k ); (m0, m1) ← FR(E); b ← {0, 1}; α ← E (m ) : A (E, m0, m1, α) = b] ≤+ k. Note that the oracle used to encrypt and decrypt is given to the adversary who tries to distinguish the encryption of strings m0 and m1, so, for example, a hash H(x) with H derived from R could most certainly not appear in the secure encryption of a string x.

408 EG ←< x : r ← d(1k ) : f (r)||G(r) ⊕ x >
Encryption By E(x) = f (r)||G(r) ⊕ x .To specify our encryption scheme, let G∗ be a trapdoor permutation generator and let G : {0, 1}∗ → {0, 1}∞ be a random generator. On input 1k our generator G runs G to get (f, f−1, d) . It sets EG to the following algorithm: EG ←< x : r ← d(1k ) : f (r)||G(r) ⊕ x > where G(r) ⊕ x denotes the XOR of the first |x| bits of G(r) with x. Of course the decryption function is then DG(ys) = s ⊕ G(f−1(y)) .

409 4.1 Theorem :The E(x) = T (r)||G(r) ⊕ x Scheme Is Secure Against Chosen Plaintext attack in the Random Oracle model for trapdoor T. We will prove this by contradiction. Suppose this is not true. That is we have an adversary A = (A0, A1) with significant advantage .A is used to generate the plaintexts m0 and m1. A1 is then handed the challenge c, which is the ciphertext corresponding to a randomly chosen message. Both A0 and A1 can make queries to the random oracle G. Using these algorithms we intend to invert T , the trap-door function without knowing the trap-door.

410 1/2 + s < Pr[Asucceeds|Ak ]Pr[Ak ] + Pr[Asucceeds|Ak ]Pr[Ak ].
If A0 asks a query for r (used to generate the challenge), return r (thus we have inverted the trap-door). Else A0 terminates, and A1 starts. Instead of feeding A1 the challenge ciphertext, it is asked T (r)||z where z = {0, 1}|x| is a random string. It is checked whether A1 makes a query at r, by checking if T (r) = y. Define Ak : Event that A1 asks a query at r. If it does not then it has no advantage in guessing which plaintext was encrypted. 1/2 + s < Pr[Asucceeds|Ak ]Pr[Ak ] + Pr[Asucceeds|Ak ]Pr[Ak ]. < Pr[Ak ] + 1/2 Thus Pr[Ak ] > s Thus we can invert the trapdoor T with significant probability,thus we arrive at a contradiction.

411 4.2 Theorem : The E(x) = f (r)||G(r) ⊕ x||H(rx) Scheme Is Secure Against Chosen Ciphertext attack.
Let A = (F, A1) be an RS-adversary that succeeds with probability 1 + s(k) for some non negligible function s(k). We construct an algorithm M (f, d, y) that computes f (y) non-negligibly often, where (f, f, d) ← G (1 ); r ←d(1k ); y ← d(r). Algorithm M begins by running F (E) where E is de- fined from f as specified by our scheme. F takes three oracles, namely, G, HandDG,H , whose queries are answered by F as follows. If a query r to G satisfies f (r) = y then M outputs r and halts; else it returns a random string of the appropriate length.

412 If a query rx to H satisfies f (r) = y then M outputs r and halts; else it returns a random string of the appropriate length. To answer query a||w||b to DG,H , algorithm M sees if it has already asked some query r of G and ru of H, where a = f (r) and w = G(r) ⊕u, and if so returns u; else it returns invalid. If M completes the running of F (E) then it obtains an output (m0, m1). Now M runs A1(E, m0, m1, α) where α = y||w||b for w ← {0, 1} and b = {0, 1} . Once again, M must simulate the behavior of queries to G, H, and DG,H . This is done exactly as before, when F was being run by M .

413 To see that this construction works, first consider the ”real” environment of A running with its oracles. Let Ak denote the event that a||w||b ← F (E), for some a, w, and b, and A made some oracle call of G(r)or H(ru), where f (r) = a. Let Lk denote the event that A1 asks DG,H some query a||w||b where b = H(f−1(a)||w ⊕ G(f−1(a))), but A1 never asked its H − oracle for the image of f−1(a)||w ⊕ G(f−1(a)). Let n(k) denote the total number of oracle queries made. It is easy to verify that Pr[Lk] ≤ n(k)2−k . It is also easy to see that

414


Download ppt "Introduction to modern cryptography: principles and protocols"

Similar presentations


Ads by Google